Cisco Pix 525, IPv6 won't pass packets

[UltraZero]

I have a Cisco Pix 525 and I am running IPv6. I have taken the unit off
line simply because I could not get it to pass IPv6 packets. I have
tried everything I could to make this happen. I have been able to
get IPv4 packets to work. I have also been able to get acls to work as well. I am new to this but, no one seems to know how to get this to work.

IF anyone can help, I would appreciate it. I can't find any information other than the Pix works with IPv6 and a config from cisco which doesn't sho the full routes in the pic.

The only thing I can see could be problem is the Pix doesn't allow IPv6 routing protocols, so manual routes are needed. I have 4 interfaces 1. outside 2. inside 3. DMZ 4. Inhouse servers. I can not ping IPv6 fron the inside interface to the outside, but, I can ping ipv6 from the Pix out to the internet so I know the packets are getting to the Pix,but, not through it.

Does anyone have any idea? Thanks

 

[baddos]

What version of the PIX os are you running? Are you sure you are allowing icmpv6 echo and echo-reply through your access-lists?

 

[UltraZero]

Icmp and Icmp6 are allowed through access lists. I have tried to layer my ACLs like my IPv4 ACLs thinking the access should be the same.

Verion is 8.02 I think. I have 2 units.

I know the network is functional because I am currently on it and I can pass IPv6 packets without a problem without the PIX.

I can't even seem to find anyone with an ASA 5505 or greater with a lower version of the IOS to closely match my IOS in order to compare.

I know the ASA 55xx verion 8.2 supports IPv6 in the gui and maybe even supports routing protocols which would at least take care of the routing issue. I think possibly it's a routing issue where I am not establishing the correct routes. I don't get any return errors from behind the Pix. Just kinda pinging into nothing which tells me either (at least for ping) ICMP/ICMP6 packets are not returning or not going through to begin with.

I would like to put this unit back into place,but, it is terribly painful to bring the network down in order to put this in place and then find out it doesn't work. Maybe I'll have to create a test lab. I wish I had a hub to be able to put a packet tracer on in order to test. I didn't do this with IPv4. It was straight forward worked or didn't.

Any other suggestions would be appreciated. I haven't seen too many books that touch on this subject much.

I kinda get the feeling the world (US) is still kinda asleep when it comes to IPv6. (at least when it comes to firewalls) Security appliances should come first then the network to protect and not the networks, the problems, the hackers, then the appliances. Sounds like a great way to drum up business. Wait til there is a problem and then take the already created product off the shelf, dust it off, paint it a different color and call it something new..

LOL..

 

[baddos]

You shouldn't need a routing protocol for simple testing. You can enable a default route to one of your external routers.

ipv6 route outside_if_name ::/0 {router's ipv6 addr}

Access-lists are different for ip4 and ipv6. I'm assuming you have some "ipv6 access-list" commands in your PIX?

The PIX does indeed support IPv6 provided it is configured properly and at least version 7 OS. Not all features are supported, most popular being failover firewall configs. However it should do an adequate job for ipv6 testing purposes until you can afford to upgrade to a modern ASA.

Double check your config and make sure your interfaces are setup properly.

 

[UltraZero]

I have Ipv6 route outside installed. I can ping and perform ipv6 transactions like ping, traceroute commands from the Pix without any problems. So, I know the IPv6 route works, But, from the inside interface, I can not process any packets.

I am at this point thinking I have an access-list issue. I just don't know what it could be.

IF you have an asa, I would appreciate seeing an example of what works for IPv6 when it comes to access-lists.

I don't really know what is different from that vs the ASA in this regards except for more processes are in the GUI..

 

[UltraZero]

This is an old message, but, I am still wondering if someone out has a Pix 525/535 and if someone can give me a sample ipv6 access list in order to route ipv6 packets from the outside interface to the inside interface.

Thanks