Cisco ASA 5505 allowing inbound ICMPv6

Posted by Astron on Server Fault See other posts from Server Fault or by Astron
Published on 2012-11-24T03:12:35Z Indexed on 2012/11/24 5:07 UTC
Read the original article Hit count: 1021

Filed under:
|
|
|

I am trying to allow inbound unsolicited ICMPv6 requests from an external link-local address to my outside (external) interfaces link-local address. I can ping (echo-request) the external address and receive a pong (echo-reply) but ICMPv6 messages initiated on the far side are dropped. I am running 9.0(1) in order to use some of the newer features. Does the Cisco ASA not allow unsolicited inbound requests from a link-local address? Should it matter if all ICMPv6 is allowed?

Statements being denied:

%ASA-3-313008: Denied IPv6-ICMP type=129, code=0 from fe80::XXXX:XXXX:XXXX:XXXX on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::XXXX:XXXX:XXXX:XXXX on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::XXXX:XXXX:XXXX:XXXX on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::XXXX:XXXX:XXXX:XXXX on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::XXXX:XXXX:XXXX:XXXX on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::XXXX:XXXX:XXXX:XXXX on interface outside

I created both an inbound ACL and ICMP permit statements:

access-list OUTSIDE-IN extended permit icmp6 any any
access-list OUTSIDE-IN extended permit icmp6 any any membership-report
access-list OUTSIDE-IN extended permit icmp6 any any membership-report 0
access-list OUTSIDE-IN extended permit icmp6 any any echo-reply 0
access-list OUTSIDE-IN extended permit icmp6 any any echo-reply
access-list OUTSIDE-IN extended permit icmp6 any interface outside membership-report
access-list OUTSIDE-IN extended permit icmp6 any interface outside membership-report 0
access-list OUTSIDE-IN extended permit icmp6 any6 any6 echo-reply
access-list OUTSIDE-IN extended permit icmp6 any6 any6 membership-report
access-list OUTSIDE-IN extended permit icmp6 any6 any6 echo-reply 0
access-list OUTSIDE-IN extended permit icmp6 any6 any6 membership-report 0

snip

access-group OUTSIDE-IN in interface outside
ipv6 icmp permit any inside
ipv6 icmp permit any membership-report outside
ipv6 icmp permit any echo-reply outside
ipv6 icmp permit any router-advertisement outside
ipv6 icmp permit any neighbor-solicitation outside
ipv6 icmp permit any neighbor-advertisement outside
ipv6 icmp permit any outside

© Server Fault or respective owner

Related posts about cisco

Related posts about cisco-asa