NAT firewall for IPv6?

Tue Jul 5 22:51:07 UTC 2016

My how the world has changed!

On 7/1/2016 21:28, Edgar Carver wrote:
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation.

I am Old School, I guess.  In my day Step One would be "Fire the 
administrator."  The job is by nature a 24 X 7 X 52 job and "On Call" 
the rest of the time.  "Vacation" is never a reason to leave your 
assignment insecure.

"NAT-based firewall"?  Really?

How long has the consultant been out of business?

Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a
> router. Or, ideally, is there an easy way to turn off IPv6 completely? I
> really don't see a need for it, any legitimate service should have an IPv4
> address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver
>

-- 
"Everybody is a genius.  But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."

--Albert Einstein

 From Larry's Cox account.