From: Arun Arumuganainar (aarumuga@hotmail.com)
Date: Mon Aug 22 2005 - 08:59:02 GMT-3
I have seen similar scenarios at the customer place !!! Similar in the sense
not routing protocols but other traffic such as VPN ( PPTP and IPSEC VPN) .
Generally we following this technique while encountering such a scenario !!!
1) Analyze the protocol to be allowed and identify the traffic that is
entering and leaving the network .
Note : Identification includes , Protocol type ( TCP , UDP , Raw IP , ICMP etc
) , Protocol Numbers , IP Address .
For Ex : Lets us take OSPF . It uses the following .
a) IP Address : 224.0.0.5 or 224.0.0.6
b) Protocol Number in the IP Header : 89 ( Pls. correct me if I am wrong )
!!
For BGP TCP traffic from port 179 from and to BGP Neighbor IP address !!!
2) Once it is done ,open the ports alone in the access list that is used for
firewalls .
Pls. find below a short write up on how to allow PPTP Tunneling . I made this
write when we encountered problems with PPTP tunneling pass-through via
Firewall . Treatment for routing protocol is very similar . I have made used
of PPTP for case study shake as I have not tested any routing protocols in my
lab . You can work based on them to suit your requirement .
PROBLEM DESCRIPTION AND WORK AROUND .
PPTP pass through tunnel establishment happens transparently. This means our
Router does treats PPTP-pass through packets as any other ordinary IP packet
and hence no configuration changes is needed to enable them.
However problem comes only when we enable firewall. PPTP pass through tunnel
establishment needs following traffic to be allowed explicitly . The Firewall
configured on the router does not allow this unless it is specified
explicitly.
a.. access-list 111 permit tcp any any eq 1723
b.. access-list 111 permit tcp any any eq 139
c.. access-list 111 permit udp any any eq netbios-ns
d.. access-list 111 permit udp any any eq netbios-dgm
e.. access-list 111 permit gre any any
Upon adding the above access list we can enable PPTP tunnel to pass through
the fire wall.
Your skeleton accesslist should look like this !!!
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
Note 1: The CLI commands that are highlighted in Dark color are necessary for
enabling PPTP tunnels.
Note 2: " access-list 111 deny ip any any " should be your last line in your
access-list 111 configuration.
If both things are taken care .You will be able to do what you want with our
router .
Thanks and Regards
Arun
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'Tony Schaffran'" <groupstudy@cconlinelabs.com>; "'Brant I. Stevens'"
<branto@branto.com>; "'Sayeed Kachroo'" <sayeedk@hotmail.com>;
<cciein2006@yahoo.com>; <ccielab@groupstudy.com>
Sent: Monday, August 22, 2005 12:16 AM
Subject: RE: Routing updates through a firewall
> How about sending your firewall to me since you don't use it. :)
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tony
> Schaffran
> Sent: Sunday, August 21, 2005 12:58 PM
> To: 'Brant I. Stevens'; 'Sayeed Kachroo'; cciein2006@yahoo.com;
> ccielab@groupstudy.com
> Subject: RE: Routing updates through a firewall
>
> How about a GRE tunnel through a VPN connection?
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brant I. Stevens
> Sent: Sunday, August 21, 2005 9:31 AM
> To: Sayeed Kachroo; cciein2006@yahoo.com; ccielab@groupstudy.com
> Subject: Re: Routing updates through a firewall
>
>
> Correct me if I'm wrong, but, doesn't using a GRE tunnel for such a purpose
> basically negate using a firewall once you permit the GRE tunnel through
it?
> You would have to add ACLs to the GRE tunnel to permit/deny traffic as
> desired, and if you weren't using a FW feature set, it would only give you
> packet filtering; not stateful inspection.
>
> BGP will give you the best path to a destination, but the specific traffic
> type must be permitted through the firewall.
>
> On 8/20/05 1:28 AM, "Sayeed Kachroo" <sayeedk@hotmail.com> wrote:
>
> > Well i think with redistribution you will lose bgp attribute , i dont
> > think that is a good idea. How about using gre. Pass the gre traffic
> > through the pix.
> >
> > SK
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3