I have a bit of a problem with my Cisco 1921 ISR config. I have ipv4 (obviously) and also native ipv6 connectivity in my home lab. I am trying to set up the zone based firewall. With ipv4 traffic, the returning traffic is matched fine and can come thru (that’s how I’m uploading this question). But with ipv6, I can see just half traffic. Outgoing traffic is matched and let out fine, the returning traffic inexplicably gets matched with the class-default and gets dropped. That is what I want to fix. I know that when doing zone based firewall, the policy class should always match just one stack v4 XOR v6.

Just a side-note. I am doing this for my home networking setup. I know having a cisco router is not meant to be for the home environment, but I like it. I like geeking over tech and learning new things. Plus I almost forgot everything from my CCNA about 10 years ago. Thanks for your help guys.

So here’s my config …

I have two zones, INTERNET and TRUSTED (well there’s more but for this setup I’m focusing just on those two). Internet has a link-local fe80:: address and the ISP sends my entire /56 to that address. Without the firewall, ipv6 works fine.

vrf definition VRF1
 !
 address-family ipv6
 exit-address-family
!
ipv6 unicast-routing
!
ipv6 cef
!
parameter-map type inspect ipv6-param-map
 ipv6 routing-header-enforcement loose
 sessions maximum 10000
class-map type inspect match-any TRUSTED-TO-INTERNET-6-CLASS
 match access-group name TRUSTED-TO-INTERNET-6-ACL
class-map type inspect match-any TRUSTED-TO-INTERNET-CLASS
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect TRUSTED-TO-INTERNET-POLICY
 class type inspect TRUSTED-TO-INTERNET-CLASS
  inspect
 class type inspect TRUSTED-TO-INTERNET-6-CLASS
  inspect ipv6-param-map
 class class-default
  drop log
!
zone security TRUSTED
zone security INTERNET
!
zone-pair security TRUSTED-TO-INTERNET source TRUSTED destination INTERNET
 service-policy type inspect TRUSTED-TO-INTERNET-POLICY
!
ipv6 access-list TRUSTED-TO-INTERNET-6-ACL
 permit ipv6 any any

And now what is really happening:

moe#sh log
<omitted>
Feb  8 19:15:14.769: %FW-6-DROP_PKT: Dropping tcp session [2A01:<my_laptop's_ipv6>]:61984 [2A00:1450:4009:800::2004]:80 on zone-pair TRUSTED-TO-INTERNET class class-default due to  DROP action found in policy-map with ip ident 0

So from that I think the traffic does not get matched by my policy classes

moe#show policy-map type inspect zone-pair TRUSTED-TO-INTERNET sessions

policy exists on zp TRUSTED-TO-INTERNET
  Zone-pair: TRUSTED-TO-INTERNET

  Service-policy inspect : TRUSTED-TO-INTERNET-POLICY

    Class-map: TRUSTED-TO-INTERNET-CLASS (match-any)
      Match: protocol tcp
        6348 packets, 322834 bytes
        30 second rate 0 bps
      Match: protocol udp
        1890 packets, 100760 bytes
        30 second rate 0 bps
      Match: protocol icmp
        12 packets, 288 bytes
        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 46
      Established Sessions
        Session 2D39D100 (<laptop's_ipv4>:50415)=>(104.199.64.253:4070) tcp SIS_OPEN/TCP_ESTAB
          Created 12:02:12, Last heard 00:00:03
          Bytes sent (initiator:responder) [87580:124570]

< ...
  ...
  omitted
  ...
  ... >


      Number of Half-open Sessions = 3
      Half-open Sessions
        Session 2D3A4B80 [2A01:<laptop_ipv6>]:128=>[2A00:1450:4009:807::200E]:0 icmpv6 SIS_OPENING
          Created 00:20:54, Last heard 00:00:00
          ECHO request
          Bytes sent (initiator:responder) [10008:0]
        Session 2D39CA00 [2A01:<laptop_ipv6>]:55263=>[2A01:578:3::34D7:905B]:443 tcp SIS_OPENING/TCP_SYNSENT
          Created 00:00:28, Last heard 00:00:28
          Bytes sent (initiator:responder) [0:0]
        Session 2D3A4800 [2A01:<laptop_ipv6>]:46727=>[2A01:578:3::3431:3FD0]:443 tcp SIS_OPENING/TCP_SYNSENT
          Created 00:00:19, Last heard 00:00:19
          Bytes sent (initiator:responder) [0:0]


    Class-map: TRUSTED-TO-INTERNET-6-CLASS (match-any)
      Match: protocol tcp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol udp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: access-group name TRUSTED-TO-INTERNET-6-ACL
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop
        18961 packets, 961301 bytes

Any ideas why my returning traffic gets shot down by class-default instead of matching as the returning traffic just like it does with ipv4?

Leave a Reply

Your email address will not be published. Required fields are marked *