|
Cisco subnet config to prevent incoming connections
![[be]](/s/countries/be.gif) Shadow Hawkins on Friday, 14 November 2008 17:14:25
Hi,
I'm not too familiar with IOS, and when configuring the IPV6 subnet, I'd like to ensure that initating connection from the outside towards internal node is not possible. (of course, return packets from internally initiated connection must flow ...)
I see how to do that with iptables but with IOS I have no real clue :) Does anyone have docs about that ? sample config ?
Thanks,
Sylvain
Cisco subnet config to prevent incoming connections
![[us]](/s/countries/us.gif) Carmen Sandiego on Monday, 03 August 2009 16:21:55
!Simple Reflective ACL:
!
!
ipv6 access-list IPV6SECURITY
sequence 10 permit icmp host 2001:xxxx:xxxx:xxxx::2 host 2001:xxxx:xxxx:xxxx::1
sequence 20 permit icmp host 2001:xxxx:xxxx:xxxx::1 host 2001:xxxx:xxxx:xxxx::2
evaluate IPV6REFLECT
sequence 50 deny ipv6 any any log-input
!
!
ipv6 access-list IPV6OUTBOUND
permit ipv6 any any reflect IPV6REFLECT timeout 60
!
!
int tun xxxx
ipv6 traffic-filter IPV6SECURITY in
ipv6 traffic-filter IPV6OUTBOUND out
!
!
!
!First 2 permits allow all ICMP between the tunnel end-points, anything else is not allowed unless it originated from within the my network.
Cisco subnet config to prevent incoming connections
![[nl]](/s/countries/nl.gif) Shadow Hawkins on Saturday, 15 November 2008 12:28:24
This is all very well documented in the Cisco manuals. I advise you to go to the Cisco website for them. They are also indexed by Google so a common search will find them for you.
I published my own notes on my Cisco router ages ago. It contains an ACL sample for IPv6 as well: Hugo van der Kooij: Network: Cisco 836 with XS4ALL
|
Posting is only allowed when you are