Pix Firewall and IPv6

[UltraZero]

Hi guys and gals.  This is an old topic,but, I just want to kinda get back to it since I needed to move on
and now i have time to go back to it.

I basically did the following.

started the box.
gave it a name
created interface 0 outside security level 0
           interface 1 inside   security level 100
           interface 2 dmz     security level 50

I gave each interface an ip address
issued a few access lists to allow traffic
I am using outing protocol eigrp
clear arp

IPv4 works fine



Now, I did the same for IPv6 but, the following Items I ran into.
1.  there are not routing protocols for IPv6.
2.  Everytime I try to create a manual route from one interface to go outbound, I get an error
that tells me I can not route through myself.

I have never been able to get this unit to work with IPv6.  IOS is 8.03. There are no Ipv6 additons to the GUI.
I am thinking about putting the firewall back online because I think the forewall is decent since I own it.   No expense if I can get it to work. ::) ::)

any suggestions.  (no suggestions to throw the box away. The throughput of the box is faster then a 5510)

[cholzhauer]

I was always told the PIX didn't support IPv6.

There are others on this site that swear it does.

[desc]

Hi.

Actually the PIX does support IPv6. But not under all circumstances.
The PIX has to have a software version of 7 or higher.
So IPv6 does not work on the low-cost PIX models like 501 or 506(e).
They have (AFAIR) a version of 6.x.

As far as I remember, the PIX does not have a dynamic routing mechanism.
Only default route and static routes are supported.

Also the IPv6 features for the PIX firewalls are only available on the command line.
IPv6 settings on the GUI are only available on the newer product called "ASA firewall".

Please have a look on the command reference from Cisco for the PIX firewalls:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/asa80cfg.pdf
(especially chapter 13-5 - Configuring IPv6 Default and Static Routes)

UltraZero: Can you paste the command you try to enter?

[UltraZero]

Hi.  I think I mentioned the gui for any version for the pix isn't supported.
I guess I would like to know if anyone either has a Pix or a ASA, can someone post a sample
manual config line in order to route ipv6 from the internal interface to the outside interface and from
DMZ to outside and what about the return data as well. (data coming in going to the inside /dmz interface.

Everytime I try this, I get an error stating I can't not route through myself.

thanks

Other than payingi more for the ASA and getting a pizza box, I think the newer ASAs are basically the same piece of equipment
as the Pix other than having a GUI support for IPv6.  I don't think the ASA supports routing protocols. Maybe I'm wrong.  I know it's not
a router, but, it would surely make things easier when trying to connect to it.

I'd like to put the Pix back online instead of the router that I hae in its place.  Besides that, the Pix gives me more monitoring ability of what's coming in,
and the load when I am transfering data from server to server so I don't kill the network while trying to watch a youtube video.  LOL> 

[cholzhauer]

You don't need a route to route between directly connected interfaces... The only thing you need a route for is a default route or to route a subnet that doesn't have an address on your pix

[UltraZero]

Example.

                          INTERNET
                                |192.168.7.0
                            ROUTER
                                |192.168.8.0
192.168.110.0DMZ-----PIX------DMZ2 192.168.100.0
                                |
                       192.168.120.0
                                |
  192.168.40.0------ROUTER------192.168.50.0                               
  192.168.60.0------/    |   \------192.168.70.0
                                 | 192.168.15.0
                             ROUTER
                                 |
                                 | TRUNK LINK (20 VLANS)192.168.110.0 - 192.168.30.0
                             SWITCH (48 PORTS)
                             SWTICH (48 PORTS)
                             SWITCH (48 PORTS)

ALL SWTICHES ARE TRUNKED TOGETHER VIA FIBER.

FROM ANYWHERE IN THE NETWORK, I CAN CURRENTLY MOVE DATA FROM ANYWHERE TO ANYWHERE
WITHOUT THE PIX.  ANOTHER ROUTER IS CURRENTLY IN IT'S PLACE.

When I put the Pix back into place, I can only move ipv4 data. 

What would  you suggest (example) routing config to move data to and from the internet and to and from the switch to for example dmz2

[cholzhauer]

The bottom trunk link confused me, but what about this?

                INTERNET
                                |2001:db8:1234:0::/64
                            ROUTER
                                |2001:db8:1234:1::/64
2001:db8:1234:2::/64DMZ-----PIX------DMZ2 2001:db8:1234:3::/64
                                |
                       2001:db8:1234:4::/64
                                |
  2001:db8:1234:5::/64------ROUTER------2001:db8:1234:6::/64                             
  2001:db8:1234:7::/64------/    |   \------2001:db8:1234:8::/64
                                 | 2001:db8:1234:9::/64
                             ROUTER
                                 |
                                 | TRUNK LINK (20 VLANS)2001:db8:1234:10::/64 - 2001:db8:1234:20::/64

[UltraZero]

Duhhhh.....

Sorry.  Still got my head in IPv4.

Thanks for the correction.  (IPv4 works)

yes.  Looks right.