cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring rules for IPV6 Webite in DMZ.

I am having an issue configuring the Sidewinder for IPV6.

I know that currently there is no support for IPV6 when the Sidewinders are in Active / Active mode (Version 8.2.1)

So My Sidewinders are in Active / Passive mode.

I can ping the Webserver from my external Router but using tools like http://ipv6-test.com/validate.php and http://www.subnetonline.com - ipv6-network-tools

say that the Website is not reachable.

I have the rule set to allow HTTP, ICMPv6, HTTPS

Source <V6 any> (Zone <any>)

Destination <IPV6 Address of Server> (Zone- Internal)

NAT: <none>

Redirect: <none>

I am able to access the site from the Webservers browser and use the V6 Registered DNS Name.

So am I barking up the wrong tree? should I be looking elsewhere for the problem? Any insite or ideas are welcome...

Thanks

5 Replies
mtuma
Level 13
Report Inappropriate Content
Message 2 of 6

Re: Configuring rules for IPV6 Webite in DMZ.

Hello,

Your rule above looks correct. Have you configured the external and internal interfaces on the firewall with IPv6 addresses?

-Matt

Re: Configuring rules for IPV6 Webite in DMZ.

Yes,

on the First Sidewinder the external interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::ABC2/124)and primary address is configured 2610:::::ABC3/124

on the second Sidewinder the external interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::ABC2/124)and primary address is configured 2610:::::ABC4/124

on the First Sidewinder the Internal interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::123A/123)and primary address is configured 2610:::::123B/123

on the second Sidewinder the Internal interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::123A1/123)and primary address is configured 2610:::::123C/123

the Webserver is 2610:::::123D/123

The Router inside interface is 2610:::::ABC1/124

ipv6 route permit any any

mtuma
Level 13
Report Inappropriate Content
Message 4 of 6

Re: Configuring rules for IPV6 Webite in DMZ.

Are those IPv6 addresses routable and given to you by your ISP? If someone is out on the internet and wants to connect to them, are they going to be routed to your network and your firewall?

-Matt

Re: Configuring rules for IPV6 Webite in DMZ.

Yes they are assigned by my ISP and routable, I have the Webserver addresses setup with a DNS Name as well and it resolves.

if a user types in website name, they will be routed to the webserver in the DMZ through the Firewalls and Router

sliedl
Level 14
Report Inappropriate Content
Message 6 of 6

Re: Configuring rules for IPV6 Webite in DMZ.

If you type in the website name and do tcpdumps on the external and DMZ side of this firewall do you see this session go through the firewall?

Or, do you see a SYN/SYN-ACK/ACK on the outside of the firewall and only a SYN on the DMZ side?  That would tell me the routing on the web server does not point to the firewall.  Perhaps its default route is your external router, which is why the external router can ping this server.