[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] IP protocol 94
Exapnding on this, <protocol> can be either a keyword like "tcp", "udp", "igmp", "icmp", etc. or an integer between 0-255, representing the IP protocol number. For those interested, I list all of the IANA IP protocol number designations (and a whole lot of other info gathered from vairous RFCs and people) at http://www.wittys.com/files/all-ip-numbers.txt . The IP protocols are listed at the very bottom of the page. Anyway, with that said, a Cisco ACL command to allow this would look something like this: "access-list 100 permit 94 host 1.2.3.4 host 5.6.7.8" , or whatever. Hope this helps! Jason [email protected] wrote: > > I've not tried this (don't use SR here) and you don't say what routers you're > using so I'll assume, but ciscos allow all manner of IP protocols to be passed > through access lists. > > In their terminology access lists are created like > > access-list 100 <action><protocol> <srcip> [srcport] <destip> [destport] > > so for a telnet session you might have > > access-list 100 permit tcp host 1.2.3.4 host 5.6.7.8 eq telnet > > In this instance the protocol is TCP (IP protocol 6), but you can substitute tcp > for any valid IP protocol number. Ports probably aren't valid here are they > refer specifically to TCP/UDP and not IP_P 94 - it'd be like looking for ports > on ICMP packets. > > The URL below is a pretty thorough desc. of access-list construction on Ciscos. > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1rprt2/1rip.htm#xtocid26908 > > If it's not a cisco, then I don't know. If I'm wrong, no doubt someone with > actual real experience of this will step forward :-) > > Regards > > [email protected] on 22/09/2000 07:57:33 > > To: [email protected] > cc: (bcc: Simon Devlin/GB/ABNAMRO/NL) > Subject: [FW1] IP protocol 94 > > Hi Firewallers, > > I'm writing an inbound access-list for our Internet access router, and one > thing I need to worry about is allowing SR sessions through. Checkpoint's > web site and Phoneboy's site tell pretty much what's necessary to get site > topology updates and authentication going (and I was able to get these > working using the information given there). > > The trouble is that in order to allow the actual session through, I need to > allow what both Phoneboy and Checkpoint describe as 'Bi-directional IP > protocol 94', and I haven't got a clue as to what this is. > > What does this translate to in terms of TCP or UDP ports (or something else) > that I need to allow through the router to get the session working? Thanks > for any insight, > > Ian > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|