Re: [FW1] IP protocol 94

Fri, 22 Sep 2000 01:07:57 -0700 




I've not tried this (don't use SR here) and you don't say what routers you're
using so I'll assume, but ciscos allow all manner of IP protocols to be passed
through access lists.

In their terminology access lists are created like

     access-list 100 <action><protocol> <srcip> [srcport] <destip> [destport]

so for a telnet session you might have

     access-list 100 permit tcp host 1.2.3.4 host 5.6.7.8 eq telnet

In this instance the protocol is TCP (IP protocol 6), but you can substitute tcp
for any valid IP protocol number.  Ports probably aren't valid here are they
refer specifically to TCP/UDP and not IP_P 94 - it'd be like looking for ports
on ICMP packets.

The URL below is a pretty thorough desc. of access-list construction on Ciscos.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1rprt2/1rip.htm#xtocid26908


If it's not a cisco, then I don't know.  If I'm wrong, no doubt someone with
actual real experience of this will step forward :-)


Regards










[EMAIL PROTECTED] on 22/09/2000 07:57:33

To:   [EMAIL PROTECTED]
cc:    (bcc: Simon Devlin/GB/ABNAMRO/NL)
Subject:  [FW1] IP protocol 94




Hi Firewallers,

I'm writing an inbound access-list for our Internet access router, and one
thing I need to worry about is allowing SR sessions through. Checkpoint's
web site and Phoneboy's site tell pretty much what's necessary to get site
topology updates and authentication going (and I was able to get these
working using the information given there).

The trouble is that in order to allow the actual session through, I need to
allow what both Phoneboy and Checkpoint describe as 'Bi-directional IP
protocol 94', and I haven't got a clue as to what this is.

What does this translate to in terms of TCP or UDP ports (or something else)
that I need to allow through the router to get the session working? Thanks
for any insight,

Ian


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to