• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Zone-Based Firewall (ZBFW) and IPv6 Tunnel -- Anyone get it working?

Started by OnSiteIPv6, August 15, 2011, 03:56:04 AM

Previous topic - Next topic

OnSiteIPv6

Hello,

If I take the generic / template config provided by HE.Net, my lab router can connect to HE, and I can ping across the tunnel, and live is good.

However, we use Cisco's IOS Zone-Based Firewall (ZBFW), and I have been trying for months to get IPv6 traffic flowing across the tunnel in our lab.  The tunnel shows up/up, and from ACL counters, I see protocol 41 going in both directions.  I've tried putting both the IPv6 Tunnel and Physical outgoing interface in the same "outside" zone, and also tried putting each in their own zone...both are solutions I've located in the Cisco Support Discussion Forums as solutions.  I'm currently testing this with each in their own zone (Physical is just IPv4 passing Protocol 41, and IPv6 Tunnel is permitting all IPv6 traffic).

When I try to do an IPv6 ping, I see the ICMP's go out, but when they come back, they are dropped and logged in syslog messages...but, not from the IPv6 tunnel, as I'd expect, but rather the physical-to-self zone which is soley IPv4.  I've tried permitting IPv6 any any on that zone, but same thing...  I can't understand why the IPv6 traffic isn't showing up as being in the IPv6 Tunnel.

So, I'm wondering if ANYONE has been able to connect to HE.Net TunnelBroker using a Cisco Router with is being protected by Cisco's IOS Zone-Based Firewall?  I am running 15.1(4)M1 on a 3845 router.

If anyone has been able to establish the tunnel with HE via a ZBFW setup, I'd sincerely like to chat with you to understand what you did to get yours working.   

Thank you in advance.

Sincerely,

OnSiteIPv6

PS> Given the size of the configuration, and details therein, I can't post it here.

antillie

Honestly it will be pretty difficult to try and figure out whats wrong without a sanitized config to look at. However your statement that the drop is occurring at the physical-to-self zone sounds like the router might be dropping the traffic instead of making a routing decision after 6in4 header has been removed from the original ping packet. As if "ipv6 unicast-routing" wasn't in the config.

I haven't worked with the IOS ZBFW much so I'm not sure exactly how it handles routing between zones as compared to a Cisco ASA. I can post the config of my 2621xm if you like as a working example but it isn't using the ZBFW so it might not be of much help. (I let a Cisco ASA do all the firewall work instead of the router.)

jfktech

I have been running ZBF since it was introduced in 12.4, and am running ZBF for IPV6 since it was supported in 15.1. If you post your running-config and what IOS version your running, i can help you take a look at it.

AndrewButterworth

#3
I'd be interested to see your ZBFW configuration as I have been struggling with this for a while and I keep coming back to it.  I have 'legacy' IPv4 firewalling configured (IP inspect) with the holes poked through to allow the HE tunnel to work - IP protocol 41 to/from 216.66.84.42 and ICMP to/from 66.220.2.74.  I also have legacy IPv6 firewalling configured on my tunnel interface to HE.  All this seems to work OK.  I have made a couple of attempts to get ZBFW working and each time I end up reverting back.
I can get outbound & inbound IPv4 services working (although I had issues with SIP?), as well as traffic to the 'self' zone from the Inside and some sucess from the Outside to Self (I have RA IPSec VPN so allow ESP, AH, ISAKMP (UDP/500 + UDP/4500 for NAT-T), and UDP 1701 for L2TP, I also have inbound SMTP and these all worked).  However I had problems with getting the HE tunnel to work - it seemed to be intermittent so wasn't sure whether it was the ZBFW configuration between Self and Outside or between Inside and the Tunnel?

Andy