RE: NAT firewall for IPv6?

["Naslund, Steve" <SNaslund () medline com>]

Did you get the impression that this person asking for help was going to be able to set that up?  I didn't (if he was 
he would probably already know what an ACL is).  I do not know if the Catalyst he is looking at is his or his service 
providers edge devices (or maybe the consultants didn't give them access to that either),  I don't know that that 
Catalyst is the primary router for their network (could be an L2 switch behind the firewall).  I also doubt the problem 
stems from ipv6 as much as it comes from having an out of control firewall. Given what I am hearing about this network 
I am kind of doubting that it is really ipv6 enabled in any case so your fix prevents ipv6 traffic that is probably not 
even being routed in the first place.  In my opinion not having control of your own firewall is the five alarm 
emergency in that network right now.

If the network is ipv6 enabled, blocking all ipv6 traffic at that router is probably not a good idea without knowing 
more.  If it is not ipv6 enabled then it will have no effect on the reported issue (malware).  


Steven Naslund
Chicago IL


> Right.  But how long is it going to take to secure the Palo Alto firewall?
> If the central Cisco Catalyst really is an IPv6 router, doing a conf t
> ipv6 access-list denyIPv6
>  deny ipv6 any any

> interface [whatever connects to the ISP]
> ipv6 traffic-filter denyIPv6 in
> ipv6 traffic-filter denyIPv6 out
> end
> would be a quick fix for the firewall not doing any ipv6 filtering.
> It could also break ipv6 enabled web sites or even internal connectivity, so it'd be better to get someone on the 
> phone w/ Cisco tech support and have Cisco figure out the best way to block IPv6 for you.

> True.  But they're in "stop the bleeding" mode and disabling ipv6 is just a temp work-around until the firewall is 
> fixed.