NAT firewall for IPv6?
Tom Beecher
beecher at beecher.cc
Tue Jul 5 14:47:44 UTC 2016
Not to belabor the point, because it will likely be made frequently in
responses, but every legitimate service _should_ have both IPv4 and IPv6
addresses.
Get Palo Alto on the horn, and get access to that box. Get it configured
properly.
I won't hammer you since you're just trying to solve a problem, but v6 is
not a second class citizen. You must consider v4 and v6 for these types of
issues, and making one or the other 'go away' is simply collecting some
tech debt that you'll have to eventually pay off.
On Friday, July 1, 2016, Edgar Carver <dredgarcarver at gmail.com> wrote:
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a
> router. Or, ideally, is there an easy way to turn off IPv6 completely? I
> really don't see a need for it, any legitimate service should have an IPv4
> address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver
>
More information about the NANOG
mailing list