Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring IPv6 Inspection

11-49

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter11 Configuring Inspection of Basic Internet Protocols

IPv6 Inspection

Step2 Click Add. The Add IPv6 Inspection Map dialog box appears.

Step3 Enter a name and description for the inspection map.

By default, the Enforcement tab is selected and the following options are selected:

•Permit only known extension headers

•Enforce extension header order

When Permit only known extension headers is selected, the ASA verifies the IPv6 extension header.

When Enforce extension header order is selected, the order of IPv6 extension headers as defined in the

RFC 2460 Specification is enforced.

When these options are specified and an error is detected, the ASA drops the packet and logs the action.

Step4 To configure matching in the extension header, click the Header Matches tab.

Step5 Click Add to add a match. The Add IPv6 Inspect dialog box appears.

a. Select a criterion for the match.

When you select any of the following criteria, you can configure to the ASA to drop or log when an

IPv6 packet arrives matching the criterion:

–

Authentication (AH) header

–

Destination Options header

–

Encapsulating Security Payload (ESP) header

–

Fragment header

–

Hop-by-Hop Options header

–

Routing header—When Routing header is selected and an IPv6 routing extension header is

detected, the ASA takes the specified action when the routing type is matched or a number when

the specified routing type range is matched.

–

Header count—When Header count is selected and an IPv6 routing extension header is detected,

the ASA takes the specified action when number of IPv6 extension headers in the packet is more

than the specified value.

–

Routing header address count—When Routing header address count is selected, and an IPv6

routing extension header is detected, the ASA takes the specified action when the number of

addresses in the type 0 routing header is more than the value you configure.

b. Click OK to save the match criterion.

Step6 Repeat Step 5 for each header you want to match.

Step7 Click OK to save the IPv6 inspect map.

Configuring IPv6 Inspection

To enable IPv6 inspection, perform the following steps.

Detailed Steps

Step1 Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to

Chapter 1, “Configuring a Service Policy.”

Cisco Systems Configuring IPv6 Inspection

Models: ASA 5545-X ASA 5555-X ASA 5580 ASA 5585-X ASA Services Module ASA 5505