IPv6 ACL doesn't accept /128 prefix?

Similar Messages

• IPv6 ACLs for ZBFW with changing IPv6 prefix?

  Hi all
  Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
  Background:
  6RD based residential internet access.
  Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
  A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
  No big deal, one would think...
  zone security Z-INTERNET
   description * the outside world *
  zone security Z-DMZ
  zone security Z-OUTSIDE
  zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
   service-policy type inspect PMAP-INBOUND-TRAFFIC
  policy-map type inspect PMAP-INBOUND-TRAFFIC
   class type inspect CMAP-IN-TRACE-TRAFFIC
    pass
   class type inspect CMAP-IN-INSPECT-TRAFFIC
    inspect 
   class class-default
    drop log
  class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
   match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
  class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
   match access-group name ACLv6-INBOUND-TRAFFIC 
  Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
  ipv6 access-list ACLv6-INBOUND-TRAFFIC
   sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
  ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
  For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
  However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
  router6rd(config-ipv6-acl)#permit ip any ?
    X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
    any                 Any destination prefix
    host                A single destination host
  router6rd(config-ipv6-acl)#
  D'oh. What now?
  I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
  Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
  Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
  Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
  thanks for your thoughts and ideas.
  Marc

  Hi all
  Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
  Background:
  6RD based residential internet access.
  Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
  A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
  No big deal, one would think...
  zone security Z-INTERNET
   description * the outside world *
  zone security Z-DMZ
  zone security Z-OUTSIDE
  zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
   service-policy type inspect PMAP-INBOUND-TRAFFIC
  policy-map type inspect PMAP-INBOUND-TRAFFIC
   class type inspect CMAP-IN-TRACE-TRAFFIC
    pass
   class type inspect CMAP-IN-INSPECT-TRAFFIC
    inspect 
   class class-default
    drop log
  class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
   match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
  class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
   match access-group name ACLv6-INBOUND-TRAFFIC 
  Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
  ipv6 access-list ACLv6-INBOUND-TRAFFIC
   sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
  ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
  For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
  However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
  router6rd(config-ipv6-acl)#permit ip any ?
    X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
    any                 Any destination prefix
    host                A single destination host
  router6rd(config-ipv6-acl)#
  D'oh. What now?
  I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
  Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
  Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
  Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
  thanks for your thoughts and ideas.
  Marc

• Best practice for IPv6 ACL on 6500

  Hi,
  I am trying to implement IPv6 ACL on Cisco 6500.
  Any suggestion for the example of the good IPv6 ACL for 6500 would be appreciated.
  Thank you
  Salja

  Salja,
  Example of config can be found here:
  http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg/exampl_f.html#wpxref44215
  Configuring IPv6 Access Lists
  Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses.
  To configure an IPv6 access list, perform the following steps:
  Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for the access list. There are two main forms of this command to choose from, one for creating access list entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic.
  •To create an IPv6 access list entry specifically for ICMP traffic, enter the following command:
  hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source
  destination [icmp_type]
  •To create an IPv6 access list entry, enter the following command:
  hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source
  [src_port] destination [dst_port]
  The following describes the arguments for the ipv6 access-list command:
  •id—The name of the access list. Use the same id in each command when you are entering multiple entries for an access list.
  •line num—When adding an entry to an access list, you can specify the line number in the list where the entry should appear.
  •permit | deny—Determines whether the specified traffic is blocked or allowed to pass.
  •icmp—Indicates that the access list entry applies to ICMP traffic.
  •protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip, tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object group using object-group grp_id.
  •source and destination—Specifies the source or destination of the traffic. The source or destination can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr.
  •src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt for less than, gt for greater than, eq for equal to,neq for not equal to, or range for an inclusive range) followed by a space and a port number (or two port numbers separated by a space for the rangekeyword).
  •icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in "Addresses, Protocols, and Ports". Alternatively, you can specify an ICMP object group using object-group id.
  Step 2 To apply the access list to an interface, enter the following command:
  hostname(config)# access-group access_list_name {in | out} interface if_name
  HTH
  Regards
  Inayath

• IPv6 ACL masks

                     Can you mask random bits in the IPv6 address in an IPv6 ACL?  from the documentation it looked like only the /network boundary was allowed. 

  Hi,
  as far as i know it's not possible as we don't use inverse masks like in IPv4 ACLs but the prefix-lenghts.
  Regards.
  Alain
  Don't forget to rate helpful posts.

• Trying to drag pdf files i have and combine them into one pdf file in the account i just purchased with Adobe. when i drag a pdf file over Adobe doesn't accept it. says it can not convert this type of file. but it is an Adobe file. Do I need to change it?

  Trying to drag pdf files i have and combine them into one pdf file in the account i just purchased with Adobe. when i drag a pdf file over Adobe doesn't accept it. says it can not convert this type of file. but it is an Adobe file. Do I need to change it in some other form befor dragging it?

  Hello djensen1x,
  Could you please let me know what version of Acrobat are you using.
  Also, tell me your workflow of combining those PDF files?
  Please share the screenshot of the error message that you get.
  Hope to get your response.
  Regards,
  Anubha

• Downloading apps it asks for apple ID Pass then it says "verification required". Then says Security Code required. Doesn't accept code. itunes doesn't accept code from visa card either?Please Help

  Downloading apps it asks for apple ID Pass then it says "verification required". Then says Security Code required. Doesn't accept code. itunes doesn't accept code from visa card either?Please Help

  If it is trying to verify your payment info, I would be willing to guess that it is looking for the security code for your credit card. Did you credit card just get replaced lately or the expiration date change? When is the last time that you updated your payment information in iTunes?

• HT3702 Hi there, can somebody help me in showing me how to reset my credit card information on iTunes Store as I have the credit card and it seems like the system doesn't accept my new card.

  Good day, can someone show how to update a new credit card on iTunes Store as I have changed my credit card. It seems like the system doesn't accept the new infos but when investigated with apple store staff members, they said I had a previous purchase to complete for the payment in order to update my new infos. Does Apple have authorization credit card form? So that I can authorize them to finalize the previous purchase payment with a new card.

  iTunes Store Support
  http://www.apple.com/emea/support/itunes/contact.html
  You may want to try gift cards as an alternative.

• I enable voice over settings on my Ipod Touch 5th gen. I can't disable it anymore. I off my ipod and now i can't open it. It doesn't accept my password. I can't open it anymore.

  Please help me. I can't open my Ipod touch. I enable voice over settings on my Ipod Touch 5th gen. I can't disable it anymore. I off my ipod and now i can't open it. It doesn't accept my password. I can't open it anymore. Thanks!

  Triple click the home button and try going to Settings>General>Accessibility and turn VoiceOver off. You may have to use three fingers to scroll the screen to get there. If problems see:
  iPhone: Configuring accessibility features (including VoiceOver and Zoom)

• How to install adobe reader if it doesn't accept my password?

  how to install adobe reader if it doesn't accept my password?

  To install Adobe Reader (and most other programs) you need your computer's Administrator password.

• Hello. I would like to activate my CS3 Educational Program (version 2007) on my new computer. Unfortunatly he is not accepting my serial number. What can I do? I have delated the program on my old computer but it doesn't accept the activation on the new l

  Hello. I would like to activate my CS3 Educational Program (version 2007) on my new computer. Unfortunatly he is not accepting my serial number. What can I do? I have delated the program on my old computer but it doesn't accept the activation on the new laptop.

  Make sure you are using the  correct serial number.  Find your serial number quickly
  If you did not deactivate the original installation then it is possible your two allowed activations have been used and you need to reset your activation count.  To do that you need to contact Adobe Support thru chat and ask them to reset your activations.  If you ask for more than that they will tell you they cannot offer you any support.
  For the link below click the Still Need Help? option in the blue area at the bottom and choose the chat option...
  Serial number and activation chat support (non-CC)
  http://helpx.adobe.com/x-productkb/global/service1.html ( http://adobe.ly/1aYjbSC )

• IPHONE 4 DOESN'T ACCEPT WIFI PASSWORDS ANYMORE - PLEASE HELP!

  Hi all,
  My iPhone 4 out of blue decided not to accept the wifi password- it says "wrong password for xxx network" - it's my home one it always worked-
  I was away and worked fine for a week in others houses (where the password was stored already) went to other house, tried to connect with passwprd and started saying the pw was wrong - got home last night and didn't connect right away as usual(maybe because I've reset the network when away) so I've put the pw in and again says it's wrong - Of course the password is correct - laptop works fine and iPod touch as well - At work there is a non protected wifi and it connects fine - So looks like the iPhone doesn't accept passwprds for the wifi
  I've tryed to reset the network few times, reboot it few times, reset all settings and update the sofware (version 5.0.1) - nothing worked - aw also unpluged and re-pluged the router at home (knowiing wouldn't' help)
  PLEASE help, very frustrating - I've seen few people had the same issue but nothing worked.
  Thanks

  You're welcome.
  Incorrect. The passcode lock is not included with the backup. The restrictions passcode is, but not the passcode lock. If it were included with the backup, you would need to restore as a new device or not from the backup. Either way, you must restore with iTunes which is the only way around a forgotten passcode.

• E-mail looses all images if mail server doesn't accept outgoing email...

  I open some web page in Safari, press Command+i, new email message is created and all web page content is inserted in the email message, including all images. Nice! I enter email address and send email.
  If for some reason outgling mailserver doesn't accept my outgoing email, the same email is shown again to let me choose another outgoing mail server.
  BUT - at this time all images in the email body are gone! Instead of the images I see blue rectangles with the white question marks on them. And if I proceed and send such email via another email server, recipients get email from me without pictures embedded in the email.
  Can Apple fix this bug? It's really annoying, because quite often outgoing mail server of my ISP is not accepting my outgoing emails and I cannot resend email through another mail server, because images are already lost - I have to delete email, switch back to Safari, again Command+i, again enter email address and then change email account and then try to send again...

  Posting this here is a good idea if you’re looking for possible solutions/workarounds, but if all you want is to let Apple know so that it’s fixed, you’d better do it in one of the following places:
  http://www.apple.com/macosx/feedback/
  http://developer.apple.com/bugreporter/

• Mail continually asks for Password, Safari doesn't accept

  I update today to Safari Version 5.0.2 (5533.18.5). After I did this I have not been able to access my university e-mail either through Mail or a web based access in Safari. Mail continually asks for my password, and Safari doesn't accept it. All my mail settings are correct. Firefox will not allow me to access e-mail through the web either.
  I am desperate, can someone help me?

  Nobody can tell you anything without proper system info or other technical details.
  Mylenium

• Again Help me.When I try install Adobe Creative Suite 6 Design&Web Premium (education Edition) to my laptop it doesn't accept the serial number?

  One year ago I install that Adobe Creative Suite 6 Design&Web Premium (education Edition) to my table desktop and it works fine,
  but now I want install that to my laptop and I haven't installed it on any other but it doesn't accept the serial number?
  What  can I do? can I have another serial number? Or what?
  sari

  if you purchased from or registered with adobe, you may be able to retrieve your serial numbers by checking the account used to buy/register, Adobe ID
  or if you have your disc box and documents, Find your serial number quickly
  or if your cs6 is currently installed on a pc, Belarc Advisor - Free Personal PC Audit, for software, hardware and security configuration information on your computer.…

• After downloading the latest version I have been asked to login with my password but it doesn´t accept it or a new one !

  I updated my TB to the latest version and now when I open it up it asks me to login with my password but it doesn´t accept it.

  http://kb.mozillazine.org/Password_rejected