Cisco ISR 基于区域的防火墙双栈与 ipv6 的返回流量不匹配

网络工程 思科 路由 路由器 防火墙 思科-ios
2022-02-27 22:38:38

我的 Cisco 1921 ISR 配置有点问题。我的家庭实验室中有 ipv4(显然)和本地 ipv6 连接。我正在尝试设置基于区域的防火墙。使用 ipv4 流量,返回的流量匹配得很好并且可以通过(这就是我上传这个问题的方式)。但是使用 ipv6,我只能看到一半的流量。传出流量匹配并很好地释放,返回流量莫名其妙地与类默认匹配并被丢弃。这就是我想要解决的问题。我知道在做基于区域的防火墙时,策略类应该总是只匹配一个堆栈 v4 XOR v6。

只是一个旁注。我这样做是为了我的家庭网络设置。我知道拥有 cisco 路由器并不适合家庭环境,但我喜欢它。我喜欢热衷于技术和学习新事物。另外,大约 10 年前,我几乎忘记了我 CCNA 的所有内容。谢谢你们的帮助。

所以这是我的配置...

我有两个区域,INTERNET 和 TRUSTED(当然还有更多,但对于这个设置,我只关注这两个区域)。Internet 有一个本地链接fe80::地址,ISP 将我的整个 /56 发送到该地址。没有防火墙,ipv6 可以正常工作。

vrf definition VRF1
 !
 address-family ipv6
 exit-address-family
!
ipv6 unicast-routing
!
ipv6 cef
!
parameter-map type inspect ipv6-param-map
 ipv6 routing-header-enforcement loose
 sessions maximum 10000
class-map type inspect match-any TRUSTED-TO-INTERNET-6-CLASS
 match access-group name TRUSTED-TO-INTERNET-6-ACL
class-map type inspect match-any TRUSTED-TO-INTERNET-CLASS
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect TRUSTED-TO-INTERNET-POLICY
 class type inspect TRUSTED-TO-INTERNET-CLASS
  inspect
 class type inspect TRUSTED-TO-INTERNET-6-CLASS
  inspect ipv6-param-map
 class class-default
  drop log
!
zone security TRUSTED
zone security INTERNET
!
zone-pair security TRUSTED-TO-INTERNET source TRUSTED destination INTERNET
 service-policy type inspect TRUSTED-TO-INTERNET-POLICY
!
ipv6 access-list TRUSTED-TO-INTERNET-6-ACL
 permit ipv6 any any

现在真正发生了什么:

moe#sh log
<omitted>
Feb  8 19:15:14.769: %FW-6-DROP_PKT: Dropping tcp session [2A01:<my_laptop's_ipv6>]:61984 [2A00:1450:4009:800::2004]:80 on zone-pair TRUSTED-TO-INTERNET class class-default due to  DROP action found in policy-map with ip ident 0

因此,我认为流量与我的策略类不匹配

moe#show policy-map type inspect zone-pair TRUSTED-TO-INTERNET sessions

policy exists on zp TRUSTED-TO-INTERNET
  Zone-pair: TRUSTED-TO-INTERNET

  Service-policy inspect : TRUSTED-TO-INTERNET-POLICY

    Class-map: TRUSTED-TO-INTERNET-CLASS (match-any)
      Match: protocol tcp
        6348 packets, 322834 bytes
        30 second rate 0 bps
      Match: protocol udp
        1890 packets, 100760 bytes
        30 second rate 0 bps
      Match: protocol icmp
        12 packets, 288 bytes
        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 46
      Established Sessions
        Session 2D39D100 (<laptop's_ipv4>:50415)=>(104.199.64.253:4070) tcp SIS_OPEN/TCP_ESTAB
          Created 12:02:12, Last heard 00:00:03
          Bytes sent (initiator:responder) [87580:124570]

< ...
  ...
  omitted
  ...
  ... >


      Number of Half-open Sessions = 3
      Half-open Sessions
        Session 2D3A4B80 [2A01:<laptop_ipv6>]:128=>[2A00:1450:4009:807::200E]:0 icmpv6 SIS_OPENING
          Created 00:20:54, Last heard 00:00:00
          ECHO request
          Bytes sent (initiator:responder) [10008:0]
        Session 2D39CA00 [2A01:<laptop_ipv6>]:55263=>[2A01:578:3::34D7:905B]:443 tcp SIS_OPENING/TCP_SYNSENT
          Created 00:00:28, Last heard 00:00:28
          Bytes sent (initiator:responder) [0:0]
        Session 2D3A4800 [2A01:<laptop_ipv6>]:46727=>[2A01:578:3::3431:3FD0]:443 tcp SIS_OPENING/TCP_SYNSENT
          Created 00:00:19, Last heard 00:00:19
          Bytes sent (initiator:responder) [0:0]


    Class-map: TRUSTED-TO-INTERNET-6-CLASS (match-any)
      Match: protocol tcp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol udp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: access-group name TRUSTED-TO-INTERNET-6-ACL
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop
        18961 packets, 961301 bytes

任何想法为什么我的返回流量被类默认击落而不是像使用 ipv4 那样匹配返回流量?

0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇Ad hoc 与 Mesh,使用哪一个? 下一篇为什么 `stun` 命令检测到的 NAT 类型取决于使用的 STUN 服务器?