IPv6 traffic inspection on AIP SSM20
Hi fellas!
I'm a little confused. It says that for the ASA AIP SSM-20 it has ipv6 support. Yet when I look for how to do it, it says that the ASA's Modular Policy Framework does not support ipv6. Any bright ideas on this one?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
Sent from Cisco Technical Support iPad App
ooooo boy. I might just need to raise a query case for this. There's gonna be a meeting on how to proceed with ipv6 implementation soon and I need to know if this baby can really dance to ipv6's tune.
Sent from Cisco Technical Support iPad App
Similar Messages
-
Costum service traffic inspection
Hi,
I need to do costum service traffic inspection to a SQL server inside interface communicate with the dmz interface server.
I need INSIDE useres access(http/https and other site in port 100) my web server(DMZ) which have a service that accesses the SQL server to autheticate in port tcp 1433 and the SQL server responde in a dynamic port.
How can I inspect this traffic do this maintaing the default inspection to the inside interface?
Kind Regards,
ASHi,
You say that the following happen in your case
Internal host contacts DMZ server
DMZ server initiates connection to Internal server
Internal server initiates connection to DMZ server
I can't comment much on how the actual Web server and SQL server operate but the connections formed between them should be possible by simply making sure that the ACLs allow the traffic and there is nothing else preventing these connections from forming on the firewall.
I am not sure though why the Web server forms a connection to the SQL server and then the SQL server opens a new connection to the Web server?
What is the device you are using as a firewall? Is it a Cisco ASA5505 perhaps? On ASA5505 having only Base License would mean that you would be allowed to have only 3 Vlans one of which would be limited from connecting to one of the 2 other Vlans with the command "no forward interface interface Vlanx"
If you are using ASA5505 then the above thing might be preventing the DMZ from contacting the Internal network. But its a bit far fetched but thought I'd point it out.
I dont think you can use the MPF on the ASA to affect what is allowed between your 2 different network segments. To my understanding it is used to modify already allowed connections like changing timeouts and connection limits.
If you have problem with connectivity between different ASA firewall interfaces I would suggest first opening up the ASDM monitoring view with appropriate logging level and then attempting these connections and see what is failing according to the logs.
- Jouni -
Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel
Hello,
We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
Questions:
Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
Please help.
Thanks in advance,
NickWe have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
If there are other suggestions, please advise.
Thanks,
Nick -
IPv4/ IPV6 Traffic Discrimination and Monitoring
Hi Guys
I would appreciate a lot your experiences and best practices about operating and monitoring dual stack networks in Service Provider environments. Currently we're working in a 6VPE model for Internet customers in order to provide dual stack services, but we are looking for a way that allows us discriminate and monitor both the IPv4 and IPv6 traffic separately.
Does anyone could to share his experiences, how did they were addressed?
What kind of monitoring tools have you used?
What did you do in order to guarantee a reliable monitoring strategy?
I will appreciate your support a lot.
MarceloHi Russell,
I'm in the process of writing a program to do this as I've not seen anything that provides this function available.
For your wired network you should have an inventory of assets containing at least MAC addresses and the user who owns the device.
On your wireless networks you will probably be using SLAAC and I guess you must be using 802.1x in which case you will be able to identify users to MAC addresses.
Essentially you need to periodically gather (less than the age timer) the IPv6 neighbour table from your core switches (or any edge etc, if it routes), this will give you the GUA and ULA against the MAC address. If you using an type of authentication parse those logs for usernames and MAC addresses.
Stir it all together in a database and you should have timestamp, IPv6 address, MAC and user .
cheers,
Seb. -
Does IPv6 traffic "pass-through" or "drop" by cisco waas?
Since cisco waas is not yet supported IPv6, if i am running IPv4 and IPv6 dual stack mode on the same circuit, does IPv6 traffic get dropped by the waas or does waas put IPv6 traffic in "pass-through" mode and let it goes? I am thinking, waas will treat IPv6 as non-IP traffic and will let it goes. Am i right?
Hi Joe and Kanwai,
One note though - if your running WCCP as the redirection mode, you won't get the IPv6 traffic redirected, as WCCP does NOT support IPv6. Hence you won't see IPv6 traffic at all on the WAAS device.
Best Regards
Finn Poulsen -
Receive IPv6 traffic - kernel panic?
I configured an IPv4 -> IPv6 tunnel on my firewall via he.net and set my default route for inet6 traffic to the remote side. Then I got a /64 network assigned from he.net and IP'd my internal network, include my MacBook Pro running OS X 10.4.8.
I can do a traceroute6 from my Mac to external sites just fine. It uses the IPv6 tunnel exactly as expected (I set my default route for IPv6 on my Mac to be the IPv6 address of the internal interface of my firewall). When I tried to use an external site to do a traceroute6 back to my Mac, it panicked!
Perhaps there is some problem with the Intel version of the Yukon driver (Marvell Yukon gigabit ethernet)? Has anyone else had kernel panics when on the receiving end of inbound IPv6 traffic (that wasn't in response to an outbound connection)?
Here's the crash report:
panic(cpu 0 caller 0x0035BEAC): freeing free mbuf
Backtrace, Format - Frame : Return Address (4 potential args on stack)
0x251e3db8 : 0x128d1f (0x3c9540 0x251e3ddc 0x131df4 0x0)
0x251e3df8 : 0x35beac (0x3e9c7c 0x1dfba 0x87c4b9fe 0x1dfba)
0x251e3e38 : 0x7314a4 (0x36e07600 0x0 0x251e3e68 0x1a1ec0)
0x251e3e58 : 0xa6d454 (0x237f1000 0x36e07600 0x0 0x2)
0x251e3e88 : 0xa6bad0 (0x237f1000 0x36e07600 0x0 0x38dbc80)
0x251e3ea8 : 0xa6ed7c (0x237f1000 0x0 0x1000000 0x133b25)
0x251e3f08 : 0x398a1f (0x237f1000 0x38dbc80 0x1 0x37b5d08)
0x251e3f58 : 0x397bf1 (0x38dbc80 0x135ec3 0x0 0x37b5d08)
0x251e3f88 : 0x397927 (0x38d7480 0x0 0xee6b280 0x13869f)
0x251e3fc8 : 0x19a74c (0x38d7480 0x0 0x4 0x4eae6b8) Backtrace terminated-invalid frame pointer 0x0
Kernel loadable modules in backtrace (with dependencies):
com.apple.iokit.AppleYukon(1.0.7b3)@0xa69000
dependency: com.apple.iokit.IONetworkingFamily(1.5.1)@0x72a000
dependency: com.apple.iokit.IOPCIFamily(2.1)@0x5ee000
com.apple.iokit.IONetworkingFamily(1.5.1)@0x72a000
Kernel version:
Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386
Model: MacBookPro1,1, BootROM MBP11.0055.B08, 2 processors, Intel Core Duo, 2.16 GHz, 2 GB
Graphics: ATI Radeon X1600, ATY,RadeonX1600, PCIe, 256 MB
Memory Module: BANK 0/DIMM0, 1 GB, DDR2 SDRAM, 667 MHz
Memory Module: BANK 1/DIMM1, 1 GB, DDR2 SDRAM, 667 MHz
AirPort: spairportwireless_card_type_airportextreme (0x168C, 0x86), 0.1.27
Bluetooth: Version 1.7.9f12, 2 service, 0 devices, 1 incoming serial ports
Network Service: Built-in Ethernet, Ethernet, en0
Network Service: AirPort, AirPort, en1
Serial ATA Device: ST910021AS, 93.16 GB
Parallel ATA Device: MATSHITADVD-R UJ-857
USB Device: Built-in iSight, Micron, Up to 480 Mb/sec, 500 mA
USB Device: Apple Internal Keyboard / Trackpad, Apple Computer, Up to 12 Mb/sec, 500 mA
USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA
USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mAMTU on the ethernet interfaces of the Mac and the inside the firewall are both 1500 (normal). My switch is only FE so the Mac's NIC auto-neg'd to 100/full. The MTU of the 4->6 tunnel is 1280. I believe that's because of the encapsulation overhead (it has to send the IPv6 packets inside IPv4 packets).
In any case, it's not using Jumbo Frames (I don't think the switch even supports them).
I was thinking it might be a problem with the longer address and endianness. For instance, maybe on the Intel platform they did a quick patch to make the address pointer move over a fixed 4 bytes, then read backwards by the length of the address. That would work fine for 4 byte (i.e. IPv4) addresses, but on 16 byte (IPv6) addresses it would go horribly wrong (shift 4 bytes, then read backwards 16 bytes, uh oh!).
Apparently it only affects some of the code paths, because I can send out IPv6 packets and accept the responses. It was only when I received an unsolicited IPv6 packet that it panicked.
It's all just a wild guess any way. I would like to experiment with it a little more, but I really don't feel like causing multiple kernel panics and possibly corrupting my file system from the resulting hard-resets. -
How to copy Event store in AIP-ssm20 to TFTP
Hi ,
i can see all the log store in Cisco IPS module AIP-ssm20.
How can i take a back up to these log to TFTP/FTP .
Is there is any method to export these to log to external localtion such as tftp or ftp location.
Regards,
PrashantHi,
You can use IME or send the events via SDEE to an external server.
https://supportforums.cisco.com/docs/DOC-12515
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html -
Does iphone supports IPv6 traffic for icloud?
Hi Everybody,
Does iphone supports IPv6 traffic for icloud application?ckuan
The question was whether iPhones supports IPv6 protocol. Why would it matter if the network supports IPv4, IPv6, Dual stack or any other protocol? The straight answer is NO it does not as of today (even if the users have to worry about it or not, which is irrelavent imho).
regards, sajith
http://www.kaimals.com/ -
Does facetime supports IPv6 traffic?
Since all ISP's started IPv6 deployment, just wanted to know whether Facetime supports IPv6 traffic?
ckuan
The question was whether iPhones supports IPv6 protocol. Why would it matter if the network supports IPv4, IPv6, Dual stack or any other protocol? The straight answer is NO it does not as of today (even if the users have to worry about it or not, which is irrelavent imho).
regards, sajith
http://www.kaimals.com/ -
Does IPv6 traffic support enabled for icloud?
Hi Everybody,
Since all ISP's started IPv6 deployment just wanted to know whether IPv6 traffic support enabled for icloud application?Apple does not support the 3rd party drives. To enable it (without installing another software package), you can visit the website:
http://digitaldj.net/2011/07/21/trim-enabler-for-lion/
I ran the series of commands on my Mac Pro and it did enable TRIM.
the webpage even has a backup/back-out procedure.
Without TRIM, my computer was running extremely slowly. After enabling TRIM, my computer ran substancially faster. -
Good morning - I have an issue that has happened twice - and I need some advice. I have a 4506 running version 12.2(46)SG. We recently encountered an issue where I BELIEVE the issue to be IPV6 sending out a broadcast storm, and completely flooded the core switch - bad enough that I couldn't even console into the device. After removing all connections that were plugged in when the switch went down. After everything was back up, we found that it was a laptop with ipv6 enabled - exactly the same scenario as last time. What we found after the first incident was that a faulty NIC driver caused the ipv6 broadcast storm.
At any rate, as we do not use IPv6 for anything at all, I want to block all IPv6 traffic. I know there are different ways to do it, but I'm reaching out to see what ideas you may have also...
Thx in advance for any input!Joel,
If VACLs with IPv6 ACLs are supported on your platform then I would probably use VACLs, as they allow a filter to be applied flatly to the entire VLAN. Your other option would be to configure per-port ACLs which is cumbersome and bloats the configuration unnecessary.
With IPv6 ACLs, be sure to block ICMPv6 explicitly. As far as I remember, some ICMPv6 messages are allowed even if they are not explicitly permitted in the ACL (usually the RD and ND messaging).
If your platform allowed filtering all incoming packets by MAC ACLs, yet another way would be to use VACLs with MAC ACLs, blocking all traffic with the EtherType of 0x86DD. However, newer platforms apply MAC ACLs only to non-IP traffic so they would have no effect on frames carrying IPv6 packets. You need to consult the documentation to your device.
In any way, VACLs would be my personal preferred choice at this point.
Best regards,
Peter -
Assistance on the instllation of an AIP-SSM20
What information do I need to collect in order to install and configure a AIP-SSM20
Carlos;
You will want to review this link for initial configuration of the AIP-SSM:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html
The module itself will need an IP address for remote access/management, the host ASA will need a service policy to divert traffic of interest to the AIP-SSM for inspection, and you will want a valid license on the AIP-SSM so you can update the detection signatures.
Scott -
Dear Techies/ Experts
I have 5540 with AIP SSM 20 and I have upgraded the sensor to 6.2.
As per cisco doc I have send all the ip and icmp traffic to AIPSSM 20 .
I kept one pc inside and one pc outside in firewall and one pc for manageement for the IPC
I can ping from insidde pc and outside pc vice versa.
I have configured AIP SSM 20
but I did not see any traffic coming to the AIP SSM.
I tried with ping and telnet
but no results now really frustrated.
here is my ASA config to send traffic to AIP SSM
class-map ips
match access-list ips
policy-map ips
class ips
service-policy ips global
access-list ips extented permit ip any any
access-list ips extented permit icmp any any
HERE is the IPS config
sensor# configure terminal
sensor(config)# service analysis-engine
sensor(config-ana)#
Step 3 Add a virtual sensor.
sensor(config-ana)# virtual-sensor vs1
sensor(config-ana-vir)#
Step 4 Add a description for this virtual sensor:
sensor(config-ana-vir)# description virtual sensor 1
Step 5 Assign an AD policy and operational mode to this virtual sensor:
sensor(config-ana-vir)# anomaly-detection
sensor(config-ana-vir-ano)# anomaly-detection-name ad1
sensor(config-ana-vir-ano)# operational-mode learn
Step 6 Assign an event action rules policy to this virtual sensor:
sensor(config-ana-vir-ano)# exit
sensor(config-ana-vir)# event-action-rules rules1
Step 7 Assign a signature definition policy to this virtual sensor:
sensor(config-ana-vir)# signature-definition sig1
Step 8 Assign the interface to one virtual sensor:
sensor(config-ana-vir)# physical-interface GigabitEthernet0/1
one last thing I have upgraded the sensor to 6.2 ?
is it any problem on that ?
Experts please shower your valuable suggestions and solution and I badly need help plzIt depends on the event action assigned to the signature. You should consider setting up event action filters for the events that are firing. Also within the IPS there are two ways (that I know of) in which you can disable all event actions at once or even bypass the inspection of traffic. You can do this to troubleshoot the IPS during the event that you think the IPS may be causing an issue but can't identify it at the moment.
to disable the inspection of traffic log into the IDM and click configuration ---> interface configuration ---> bypass ---> read the content within here for instructions.
to turn off all event actions for all signatures simply set up a event action filter that covers all signatures 900-65535 and then select all actions to subtract and apply -
AIP-SSM20 Operational Question
I have my SSM20 operating in a passive no-intrusive monitoring mode now. I am concerned that when I turn on the IPS functionality that a lot of false negatives will cause my users problems. Is this a valid concern or shouldn't I worry about this?
It depends on the event action assigned to the signature. You should consider setting up event action filters for the events that are firing. Also within the IPS there are two ways (that I know of) in which you can disable all event actions at once or even bypass the inspection of traffic. You can do this to troubleshoot the IPS during the event that you think the IPS may be causing an issue but can't identify it at the moment.
to disable the inspection of traffic log into the IDM and click configuration ---> interface configuration ---> bypass ---> read the content within here for instructions.
to turn off all event actions for all signatures simply set up a event action filter that covers all signatures 900-65535 and then select all actions to subtract and apply -
Multicast IPv6 - Traffic Control
Hi Guys,
We have a Deployment Multicast IPv6, and actually i need traffic control over interface that have EoMPLS configured; what is the best configuration for traffic control (4Mb up and 4Mb down of traffic Multicast).
Or which are the best practices for deployment control traffic in Multicast IPv6?
Thx in advance!Hi,
It seems you are running EoMPLS with ethernet port mode.
you could do bandwidth managment of traffic shaping on the subinterface each PE.
HTH
Mohamed
Maybe you are looking for
-
Dear experts, I want to join an existing data model containing the following 2 data flows: 1) Content Flow from DataSource 1_CO_PAxx to Cube 0COPA_C01 (via Content InfoSource) 2) Customed Flow with Billing-Data to Cube from 2LIS_13_VDITM (via InfoSou
-
The "apple ID Password" box along with the keyboard pops up when I turn the iPad on and it stays there. I have changed my email address on my iMac and also changed my password. The old email address is still on the iPad. Anyway, I can't use the iP
-
Custom reports in R12 not returning any data
I'm seeing an issue of custom reports in R12 not returning any data. So far what I've been able to dig into is that the report query itself is referring to APPS synonyms that are secured under MOAC. What I am able to do is run the query in SQL Develo
-
Hi I am using iphonesdk_3.0_beta5 SDK. When I try to compile my code using simulator 3.0 option I get following error. The code compiles for rest all simulator option ie 2.0, 2.1, 2.2, 2.2.1 While compiling my code I get following error from /Users/v
-
Adobe Flash Cs4 : xml parsing fatal error invalid document structure line 1 file
Hi there.. Well, this is in the title.. I got a problem with adobe flash cs4 : I can't launch it normaly and its says that a fatal error has occured.. I really don't know what I must do.. Please, help me.... I've just lost like 3 or 4 files of adobe