| Title: | DEC Network Integration Server (DECNIS) |
| Notice: | Please read note 1 to use this conference effectively |
| Moderator: | MARVIN::WELCH |
| Created: | Wed Sep 18 1991 |
| Last Modified: | Thu Jun 05 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 3660 |
| Total number of notes: | 15082 |
I would like to restrict ip access from a remote location to specific
hosts. The type of ip access from these nodes would not be restricted.
After reading the documentation for V3.1, which we are running
(V3.1-9), it would appear IP packet filtering is the correct mechanism.
However it looks to be horrendous and will require numerous lines of
ncl. I hope I'm missing something. Here is what I believe are the
correct elements to make this work.
1. create priority
2. create priority interfaces
3. create priority filter for type pass tcp, pass udp, pass icmp
4. set priority filter nnnn inbound interface priority interface
l601-3-0, source address value xx.xx.xx.xx, source address mask
255.255.255.255
5. repeat step four for every host
6. repeat step 4 and 5 for the wan interface
7. repeat step 3, 4, 5, 6 to create reverse pass filter
8. enable the whole mess
9. drink much rum while spending many hours debugging ncl try to find
my mistakes
Scott
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 3595.1 | Wait for the V1.1 release of the DECNIS Configurator. | MARVIN::MILLS | Thu Apr 10 1997 05:43 | 45 | |
Hi Scott, for the V4.0 release of DECNIS we shipped Secure Connections that will perform the task you are attempting. Along with this release we shipped the DECNIS GUI Configurator for windows NT and 95 that had support for this feature. Secure connections allows you to specify rules for PERMITing or DENYing connection requests being forwarded through the DECNIS. IP (TCP, UDP and ICMP), DECnet Phase IV and DECnet Phase V/OSI connection packets can be filtered against you configured rules. For example you can define a rule to :- For TCP/IP, From node : FOO From circuit: circuit-1 From Port: any port To node : BLAH To circuit : circuit-2 To port : TELNET, FTP, FTP-DATA Hours: All Day Days: All Week DENY this connection. The configurator will present you with a set of screens that will help you develop this rules, and a file is generated along with the NCL script that can be combined with the image file or down-line loaded seperatly onto the NIS. We are very close to shipping the V1.1 release of the Windows configurator, and I would highly recommend you wait until its release if you wish to use secure connections. Note that the Windows configurator for DECNIS is the only way of configuring Secure Connections rules. Hope this helps. Regards, Grant. | |||||
| 3595.2 | KAONIS::HYNDMAN | Sled Head | Thu Apr 10 1997 11:37 | 16 | |
Grant,
Thanks for your reply. I have looked at the GUI configurator and
read some of the features of the Secure Connections. These certain add
value for the decnis product. Unfortunately I can't wait as we have to
implement this next week. Also we will have to purchase a new MPC
card for the decnis inorder to support V4.x of the software. This
will be hard to justify since we can buy a whole new router for less than
the price of the MPC and it supports these features today.
In the absence of the gui configurator and V4.x, are the steps in my
base note the approach to achieve this functionality today?
Scott
| |||||
| 3595.3 | Do you have MPC-II? | MARVIN::WELCH | Fri Apr 11 1997 05:07 | 7 | |
Scott,
as long as you have MPC-II you can run V3.1-9 or V4.0-2 software. MPC-III
is recommended if the cutomer wants a complex security setup. The overhead of
checking each packet against a large number of Secure Connections rules is CPU
intensive.
Steve.
| |||||