|
>When configuring the Firewall we have a Proxy looking at Port 6666.
>Anything coming in on this port is directed to the Tunnel Server for
>handling.
Below is an example of using extended access list to filter specific
TCP port connections. This along with the IP Tunnel comands may be
a solution for you.
Regards,
Neil Sheehan
NPS/NSTG Router Support
Example of using an extended access list, suppose you have a network
connected to the Internet, and you want any host on an Ethernet to
be able to form TCP connections to any host on the Internet. However,
you do not want IP hosts to be able to form TCP connections to hosts
on the Ethernet except to the mail (SMTP) port of a dedicated mail
host.
SMTP uses TCP port 25 on one end of the connection and a random port
number on the other end. The same two port numbers are used throughout
the life of the connection. Mail packets coming in from the Internet
will have a destination port of 25. Outbound packets will have the
port numbers reversed. The fact that the secure system behind the
router always will be accepting mail connections on port 25 is what
makes it possible to separately control incoming and outgoing services.
The access list can be configured on either the outbound or inbound
interface.
In the following example, the Ethernet network is a Class B network
with the address 128.88.0.0, and the mail host's address is 128.88.1.2.
The keyword established is used only for the TCP protocol to indicate
an established connection. A match occurs if the TCP datagram has the
ACK or RST bits set, which indicate that the packet belongs to an
existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255
established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq
25
interface ethernet 0
ip access-group 102 in
|