5 Replies Latest reply on Aug 3, 2012 9:44 AM by sliedl

    Configuring rules for IPV6 Webite in DMZ.

      I am having an issue configuring the Sidewinder for IPV6.

      I know that currently there is no support for IPV6 when the Sidewinders are in Active / Active mode (Version 8.2.1)

       

      So My Sidewinders are in Active / Passive mode.

       

      I can ping the Webserver from my external Router but using tools like http://ipv6-test.com/validate.php and http://www.subnetonline.com - ipv6-network-tools

      say that the Website is not reachable.

       

      I have the rule set to allow HTTP, ICMPv6, HTTPS

      Source <V6 any> (Zone <any>)

      Destination <IPV6 Address of Server> (Zone- Internal)

      NAT: <none>

      Redirect: <none>

       

      I am able to access the site from the Webservers browser and use the V6 Registered DNS Name.

       

      So am I barking up the wrong tree? should I be looking elsewhere for the problem? Any insite or ideas are welcome...

       

      Thanks

        • 1. Re: Configuring rules for IPV6 Webite in DMZ.

          Hello,

           

          Your rule above looks correct. Have you configured the external and internal interfaces on the firewall with IPv6 addresses?

           

          -Matt

          • 2. Re: Configuring rules for IPV6 Webite in DMZ.

            Yes,

            on the First Sidewinder the external interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::ABC2/124)and primary address is configured 2610:::::ABC3/124

            on the second Sidewinder the external interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::ABC2/124)and primary address is configured 2610:::::ABC4/124

             

            on the First Sidewinder the Internal interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::123A/123)and primary address is configured 2610:::::123B/123

            on the second Sidewinder the Internal interface has Enable IPv6 checked, Static Address checked and the Cluster address (2610:::::123A1/123)and primary address is configured 2610:::::123C/123

             

            the Webserver is 2610:::::123D/123

             

            The Router inside interface is 2610:::::ABC1/124

            ipv6 route permit any any

            • 3. Re: Configuring rules for IPV6 Webite in DMZ.

              Are those IPv6 addresses routable and given to you by your ISP? If someone is out on the internet and wants to connect to them, are they going to be routed to your network and your firewall?

               

              -Matt

              • 4. Re: Configuring rules for IPV6 Webite in DMZ.

                Yes they are assigned by my ISP and routable, I have the Webserver addresses setup with a DNS Name as well and it resolves.

                 

                if a user types in website name, they will be routed to the webserver in the DMZ through the Firewalls and Router

                • 5. Re: Configuring rules for IPV6 Webite in DMZ.
                  sliedl

                  If you type in the website name and do tcpdumps on the external and DMZ side of this firewall do you see this session go through the firewall?

                   

                  Or, do you see a SYN/SYN-ACK/ACK on the outside of the firewall and only a SYN on the DMZ side?  That would tell me the routing on the web server does not point to the firewall.  Perhaps its default route is your external router, which is why the external router can ping this server.