Enterasys Networks CSX6000 User Manual

Page 307

Advertising
background image

Central Site Remote Access Switch 307

C

ONFIGURING

A

DVANCED

IP R

OUTING

IP Filters

The corporate dial-in access is realized with a WAN Direct Interface, using a pool of IP addresses
from the corporate LAN for dynamic assignment to the dial-in devices. These devices must first
pass Authentication processing, so there is a level of security inherent on this interface that is not
present on the Internet interface. Once authenticated, the devices are basically allowed to generate
traffic in the same way that they can when operating from within the corporate LAN. This includes
the ability to initiate TCP connections to the external Internet. Correspondingly, the strategy for this
filter is different. Its purpose is to enforce the stated requirement of not allowing any external access
to the Netserver or the CyberSWITCH itself.

Now suppose that a situation arises in which it is temporarily necessary to allow remote access to
the Netserver (for example, reconfiguration by a qualified member of staff who is offsite). Using the
IP Address from which the temporary access will take place, this can be accomplished by enabling
the Exception Filter. When traffic arrives from the Internet, the Exception filter will be executed
first, thereby allowing an override of the existing conditions of the Input filter. The Exception filter
would be set up as follows (the remote access is originated from address 201.55.89.100).

FORWARD

IP Src 0.0.0.0, 0.0.0.0
IP Dst: 255.255.255.255, 128.131.25.10
IP Prot: ANY

Permits any host to access the FTP
Server.

FORWARD

IP Src 0.0.0.0, 0.0.0.0
IP Dst: 255.255.255.255, 128.131.25.12
IP Prot: ANY

Permits any host to access the WWW
Server

FORWARD

IP Src 0.0.0.0, 0.0.0.0
IP Dst: 0.0.0.0., 0.0.0.0
IP Prot: TCP
TCP Src Port: RANGE 0 65535
TCP Dst Port: RANGE 0 65535
TCP Control: ESTABLISHED

Permits TCP traffic only from sessions
which have already been initiated by
corporate hosts.

FORWARD

IP Src 0.0.0.0, 0.0.0.0
IP Dst: 0.0.0.0., 0.0.0.0
IP Prot: ICMP

Permits all ICMP packets to enter (in-
cluding ECHO packets for PING).

DISCARD

All other packet types

No-match action.

DISCARD

IP Src 0.0.0.0, 0.0.0.0
IP Dst: 255.255.255.255, 128.131.25.11
IP Prot: ANY

Denies access to the Netserver.

DISCARD

IP Src 0.0.0.0, 0.0.0.0
IP Dst: 255.255.255.255, 128.131.25.15
IP Prot: ANY

Denies access to the CyberSWITCH it-
self.

DISCARD

IP Src 0.0.0.0, 0.0.0.0
IP Dst: 255.255.255.255, 193.57.50.1
IP Prot: ANY

Denies access to the CyberSWITCH it-
self.

FORWARD

All other packet types

No-match action

Advertising
This manual is related to the following products:

Cabletron CyberSWITCH CSX5500, CSX7000

Popular Brands
Popular manuals