The Cisco configuration guides clearly outlines IPv6 neighbor discovery configuration for routed mode. It also defines under the Transparent Mode section that ARP traffic is passed without an EtherType ACL from low-to-high sec interfaces, and vice-versa. However, nothing in the doc (that I can find) states whether or not NDP packects are passed without an ACL. Also, it doesn't state whether any inspection is done on those, or whether it would be covered under icmp inspection. So, if malformed ND packets or packets with a hop count <255 are received, will the ASA just forward them?
↧