Prerequisites for adding ipv6 access lists, Guidelines and limitations – Cisco ASA 5505 User Manual

19-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 19 Adding an IPv6 Access List

Prerequisites for Adding IPv6 Access Lists

Prerequisites for Adding IPv6 Access Lists

You should be familiar with IPv6 addressing and basic configuration. See the ipv6 commands in the
Cisco Security Appliance Command Reference for more information about configuring IPv6.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context modes.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines and Limitations

The following guidelines and limitations apply to IPv6 access lists:

•

The ipv6 access-list command allows you to specify whether an IPv6 address is permitted or denied
access to a port or protocol. Each command is called an ACE. One or more ACEs with the same
access list name are referred to as an access list. Apply an access list to an interface using the
access-group command.

•

The ASA denies all packets from an outside interface to an inside interface unless you specifically
permit access using an access list. All packets are allowed by default from an inside interface to an
outside interface unless you specifically deny access.

•

The ipv6 access-list command is similar to the access-list command, except that it is IPv6-specific.
For additional information about access lists, refer to the access-list extended command.

•

The ipv6 access-list icmp command is used to filter ICMPv6 messages that pass through the
ASA.To configure the ICMPv6 traffic that is allowed to originate and terminate at a specific
interface, use the ipv6 icmp command.

•

See the object-group command for information on how to configure object groups.

•

Possible operands for the operator option of the ipv6 access-list command include lt for less than,
gt for greater than, eq for equal to, neq for not equal to, and range for an inclusive range. Use the
ipv6 access-list command without an operator and port to indicate all ports by default.

•

ICMP message types are filtered by the access rule. Omitting the icmp_type argument indicates all
ICMP types. If you specify ICMP types, the value can be a valid ICMP type number (from 0 to 255)
or one of the following ICMP type literals:

–

destination-unreachable

–

packet-too-big

–

time-exceeded

–

parameter-problem

–

echo-request