In the IPv6 environment to configure Cisco IOS Firewall
With the depletion of IPv4 addresses, IPv4 addresses are a thing of the past, replaced by an IPv6 address. I found a lot of enterprise network management on migration to IPv6 issues seemed hesitant, probably felt this was a new area, migration can be a hassle. But the actual work, such as the firewall service adjustments, is not so difficult as you think. Cisco IOS Firewall configuration can support a variety of ways. Your device has the following static access-list:
access-list 101 permit tcp any host 10.1.1.1 eq www
access-list 101 permit tcp any host 10.1.1.1 eq ftp
access-list 101 permit tcp any host 10.1.1.1 eq 22
IPv6 routers, access-list configurations also exist just like with extensions of access-list.
IPv6 access list example:
permit tcp any host 2001:DB9:2:3::3 eq www sequence 10
permit tcp any host 2001:DB9:2:3::3 eq telnet sequence 20
permit tcp any host 2001:DB9:2:3::3 eq 22 sequence 30
permit tcp any host 2001:DB9:2:3::3 eq ftp sequence 40
Using the IP traffic-filter command IP access-group command control port than we are used to using it much more clear.
IOS in the Reflexive of Access-list:
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group inboundfilter in
ip access-group outboundfilter out
ip access-list extended inboundfilter
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic
ip access-list extended outboundfilter
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
Also need to configure IPv6 mode of reflexive access-lists, operation little difference:
interface Ethernet0/1
ipv6 address 2001:db9:1::1/64
ipv6 traffic-filter inboundfilter in
ipv6 traffic-filter outboundfilter out
ipv6 access-list inboundfilter
permit icmp host 2001:db8:1::F host 2001:db9:2::2
evaluate tcptraffic
ipv6 access-list outboundfilter
permit tcp any any reflect tcptraffic
Permit icmp any any
Content-based access control (CBAC) also known as IOS Firewall.
In the context of IPv4, the firewall looks like this:
ip inspect name FW tcp
!
interface Ethernet0
ip address 10.10.10.2 255.255.255.0
ip access-group 101 in
ip inspect FW in
!
interface Serial0.1 point-to-point
ip address 10.10.11.2 255.255.255.252
ip access-group 102 in
frame-relay interface-dlci 200 IETF
!
In the IPv6 environment, basically unchanged:
ip inspect name FW tcp
!
interface Ethernet0
ipv6 address 2001:db9:1::1/64
ipv6 traffic-filter inboundfilter in
ip inspect FW in
!
interface Serial0.1 point-to-point
ipv6 address 2001:db9:2::A/64
ipv6 traffic-filter outboundfilter in
frame-relay interface-dlci 200 IETF
!
There’s also a Zone-Based Firewall, IPv4 and IPv6 environments are like this:
class-map type inspect match-any MYPROTOS
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect OUTBOUND
class type inspect MYPROTOS
inspect
!
zone security inside
zone security outside
!
zone-pair security IN>OUT source inside destination outside
service-policy type inspect OUTBOUND
!
interface fastethernet0/0
zone-member security private
!
interface fastethernet0/1
zone-member security public
!
Through this strategy, you can add IPv4 or IPv6 address to port. TCP, UDP, and ICMP does not belong to the three-layer protocol, so the firewall service will not be affected.
Overall, above a very simple examples, mainly to one fact, Cisco IOS device configured on firewalls, whether IPv4 or IPv6 differences are rather big. So, now you can start to consider its enterprise network capable of supporting dual protocol, while the Firewall works.