[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference kali::dewbr

Title:	DECbrouter-90T2,-T2A,-T1
Notice:	Kits, DOCs, Release notes, SPDs notes 1-10
Moderator:	FOUNDR::SHEEHAN

Created:	Wed Dec 23 1992
Last Modified:	Thu Jun 05 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1313
Total number of notes:	4889

1271.0. "How to re-direct activity on Port 6666 to another system?" by TENNIS::KAM (AltaVista Software 714/261-4133 DTN 535.4133) Thu Feb 13 1997 00:24

    We have a customer using DECbrouter 90 and Cisco Routers as Firewall's. 
    We're trying to install the AltaVista Tunnel Server behind the Routers. 
    Engineering indicated that to make this work, with a Router, we need 
    to make the Router function like a Firewall e.g., create a relay in 
    the Router pointing to the Tunnel Server.
    
    When configuring the Firewall we have a Proxy looking at Port 6666. 
    Anything coming in on this port is directed to the Tunnel Server for
    handling.
    
    Does anyone know if, in the DECbrouter 90 or Cisco Routers, it is
    possible to set a command to direct anything coming into port 6666 
    to be directed to another system?  If so, what would the command 
    syntax be?  Also, I assume that Routers understand the concept of Ports?
    
    	Regards,
    
    Simple diagram for a simple mind.


               PIP Address
              Tunnel Client
               IP Address
                   |
              /    |
           /\/  ---+------- 
   ----+- /      
       |
       |
    Red IP Address
    Firewall or Router
   Blue IP Address
       |
       |
   ----+----+--------------+-------
            |              |       
            |              |       
         IP Address     IP Address 
           Systems       Tunnel Server
                        PIP Address

   Note: PIP Pseudoadapter IP address

T.R Title User Personal
Name Date Lines

1271.1 Try Extended access list FOUNDR::SHEEHAN Fri Feb 28 1997 12:58 44

T.R	Title	User	Personal Name	Date	Lines
1271.1	Try Extended access list	FOUNDR::SHEEHAN		`Fri Feb 28 1997 12:58`	44
	>When configuring the Firewall we have a Proxy looking at Port 6666. >Anything coming in on this port is directed to the Tunnel Server for >handling. Below is an example of using extended access list to filter specific TCP port connections. This along with the IP Tunnel comands may be a solution for you. Regards, Neil Sheehan NPS/NSTG Router Support Example of using an extended access list, suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host. SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the router always will be accepting mail connections on port 25 is what makes it possible to separately control incoming and outgoing services. The access list can be configured on either the outbound or inbound interface. In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection. access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 interface ethernet 0 ip access-group 102 in

>When configuring the Firewall we have a Proxy looking at Port 6666. 
>Anything coming in on this port is directed to the Tunnel Server for
>handling.
    
 Below is an example of using extended access list to filter specific
 TCP port connections. This along with the IP Tunnel comands may be
 a solution for you.

 Regards,

   Neil Sheehan
   NPS/NSTG Router Support

Example of using an extended access list, suppose you have a network
connected to the Internet, and you want any host on an Ethernet to
be able to form TCP connections to any host on the Internet. However,
you do not want IP hosts to be able to form TCP connections to hosts
on the Ethernet except to the mail (SMTP) port of a dedicated mail
host.

SMTP uses TCP port 25 on one end of the connection and a random port
number on the other end. The same two port numbers are used throughout
the life of the connection. Mail packets coming in from the Internet
will have a destination port of 25. Outbound packets will have the
port numbers reversed. The fact that the secure system behind the
router always will be accepting mail connections on port 25 is what
makes it possible to separately control incoming and outgoing services.
The access list can be configured on either the outbound or inbound
interface.

In the following example, the Ethernet network is a Class B network
with the address 128.88.0.0, and the mail host's address is 128.88.1.2.
The keyword established is used only for the TCP protocol to indicate
an established connection. A match occurs if the TCP datagram has the
ACK or RST bits set, which indicate that the packet belongs to an
existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255
established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq
25
interface ethernet 0
ip access-group 102 in