[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] IP protocol 94
In the immortant words on Monty Burns......."Excellent..." Jason Ian Campbell wrote: > > <<Anyway, with that said, a Cisco ACL command to allow this would look > something like this: > > "access-list 100 permit 94 host 1.2.3.4 host 5.6.7.8" , or whatever. > Hope this helps!>> > > It does, and that's exactly what I needed! Thanks Jason, you're a star! > > Ian > > -----Original Message----- > From: Jason Witty [mailto:[email protected]] > Sent: Friday, September 22, 2000 6:01 AM > To: [email protected] > Cc: Ian Campbell; [email protected] > Subject: Re: [FW1] IP protocol 94 > > Exapnding on this, <protocol> can be either a keyword like "tcp", "udp", > "igmp", "icmp", etc. or an integer between 0-255, representing the IP > protocol number. For those interested, I list all of the IANA IP > protocol number designations (and a whole lot of other info gathered > from vairous RFCs and people) at > http://www.wittys.com/files/all-ip-numbers.txt . The IP protocols are > listed at the very bottom of the page. > > Anyway, with that said, a Cisco ACL command to allow this would look > something like this: > > "access-list 100 permit 94 host 1.2.3.4 host 5.6.7.8" , or whatever. > Hope this helps! > > Jason > > [email protected] wrote: > > > > I've not tried this (don't use SR here) and you don't say what routers > you're > > using so I'll assume, but ciscos allow all manner of IP protocols to be > passed > > through access lists. > > > > In their terminology access lists are created like > > > > access-list 100 <action><protocol> <srcip> [srcport] <destip> > [destport] > > > > so for a telnet session you might have > > > > access-list 100 permit tcp host 1.2.3.4 host 5.6.7.8 eq telnet > > > > In this instance the protocol is TCP (IP protocol 6), but you can > substitute tcp > > for any valid IP protocol number. Ports probably aren't valid here are > they > > refer specifically to TCP/UDP and not IP_P 94 - it'd be like looking for > ports > > on ICMP packets. > > > > The URL below is a pretty thorough desc. of access-list construction on > Ciscos. > > > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r > /1rprt2/1rip.htm#xtocid26908 > > > > If it's not a cisco, then I don't know. If I'm wrong, no doubt someone > with > > actual real experience of this will step forward :-) > > > > Regards > > > > [email protected] on 22/09/2000 07:57:33 > > > > To: [email protected] > > cc: (bcc: Simon Devlin/GB/ABNAMRO/NL) > > Subject: [FW1] IP protocol 94 > > > > Hi Firewallers, > > > > I'm writing an inbound access-list for our Internet access router, and one > > thing I need to worry about is allowing SR sessions through. Checkpoint's > > web site and Phoneboy's site tell pretty much what's necessary to get site > > topology updates and authentication going (and I was able to get these > > working using the information given there). > > > > The trouble is that in order to allow the actual session through, I need > to > > allow what both Phoneboy and Checkpoint describe as 'Bi-directional IP > > protocol 94', and I haven't got a clue as to what this is. > > > > What does this translate to in terms of TCP or UDP ports (or something > else) > > that I need to allow through the router to get the session working? Thanks > > for any insight, > > > > Ian > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|