Now that I have IPv6 connectivity to my network, I'm looking for a basic IPv6 firewall configuration for IOS.
It used to be that we could rely on NAT to 'hide' internal (read: outgoing connections only) machines but thankfully we no longer have NAT to do the work for us.
What is a sensible set of IOS configurations / ACLs for a small internal network?
Here's what I've come up with. It works, though I'm not sure if it's optimal. Suggestions welcome!
interface IncomingTunnel0
ipv6 traffic-filter exterior-in6 in
ipv6 traffic-filter exterior-out6 out
interface LocalLan0
ipv6 traffic-filter interior-in6 in
ipv6 traffic-filter interior-out6 out
ipv6 access-list exterior-in6
evaluate exterior-reflect sequence 1
permit ipv6 any host EXTERNAL_ROUTER_ADDRESS sequence 10
permit tcp any host INTERNAL_ROUTER_ADDRESS eq 22 sequence 11
permit tcp any host INTERNAL_SERVER_ADDRESS eq 22 sequence 100
permit icmp any any sequence 800
deny ipv6 any any sequence 1000
ipv6 access-list exterior-out6
sequence 10 permit ipv6 MY_ASSIGNED_SUBNET::/48 any reflect exterior-reflect
ipv6 access-list interior-in6
permit ipv6 fe80::/10 any
permit ipv6 INTERNAL_LAN_SUBNET::/64 any
ipv6 access-list interior-out6
permit ipv6 any any
For those of you not familiar with reflexive access-lists, it's how you do stateful connection tracking. In other words, it's what allows responses to those outgoing connections to come back to you.
I'd really recommend using inspection instead of reflexive access lists - e.g:
ipv6 inspect name IPV6FIREWALLINSPECT tcp
ipv6 inspect name IPV6FIREWALLINSPECT udp
ipv6 inspect name IPV6FIREWALLINSPECT icmp
int IncomingTunnel0
ipv6 inspect IPV6FIREWALLINSPECT out
ipv6 traffic-filter IPV6FIREWALL in
ipv6 access-list IPV6FIREWALL
sequence 10 permit (explicit inbound traffic)
sequence 20 deny ipv6 any any
Much cleaner config. sho ipv6 inspect session will show you all the outbound sessions for which return traffic is permitted.
