From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Fri Nov 18 2005 - 15:40:34 GMT-3
Hello All..
In Link
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
r_c/ftrafwl/scfreflx.htm
Show a Internal Interface Configuration Example that permits BGP to be passed
without been checked by the evaluate tcptraffic
*********************
Internal Interface Configuration Example
interface Ethernet 0
description Access from the I-net to our Internal Network via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
permit bgp any any
permit eigrp any any
deny icmp any any
evaluate tcptraffic
!
ip access-list extended inboundfilters
permit tcp any any reflect tcptraffic
***********************************
I do not know if it's a Typo but my router does not have BGP in the permit
options!!!
Router(config-ext-nacl)#permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
My IOS Version is 12.2(15)T16
I think that if you like to permit bgp then this command should be used
permit tcp any eq bgp any
permit tcp any any eq bgp
Any Suggestion
Thanks
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3