BinTec Dm752-I, Manual

Page 1: ...Access Control bintec Dm752 I Copyright Version 11 06 bintec elmeg bintec elmeg Manual Access Control 1...

Page 2: ...bintec offers no warranty whatsoever for information contained in this manual bintec is not liable for any direct indirect collateral consequential or any other damage connected to the delivery supply...

Page 3: ...4 4 MOVE ENTRY 11 2 4 5 DESCRIPTION 11 2 4 6 NO 12 2 4 7 EXIT 12 2 5 Extended Access Lists 12 2 5 1 HELP 13 2 5 2 ENTRY 13 2 5 3 LIST 20 2 5 4 MOVE ENTRY 21 2 5 5 DESCRIPTION 21 2 5 6 NO 21 2 5 7 EXI...

Page 4: ...R CACHE 43 3 1 4 SET CACHE SIZE 43 3 1 5 SHOW HANDLES 43 3 1 6 HIDE HANDLES 43 Chapter 4 Appendix 44 4 1 Reserved Ports 44 4 2 Reserved Protocols 44 4 3 Protocol Values in Stateful Lists 47 Table of C...

Page 5: ...intec Dm745 I Policy Routing bintec Dm764 I Route Mapping bintec Dm780 I Prefix Lists bintec Dm786 I AFS bintec Dm788 I New NAT Protocol bintec Dm795 I Policy Map Class Map bintec elmeg Related Docume...

Page 6: ...at both input to avoid router overload and output Access Control Lists themselves cannot limit the packet flow in the router To do this they must be associated to pro tocols that allow traffic filters...

Page 7: ...of entries which define the properties that a packet must have in order to belong to this entry and consequently to this list This Access Control List is then assigned to a protocol Note Access Contr...

Page 8: ...ess Controls functionality configuration menu Here you can create eliminate and view the access lists Each Access Control List is made up of entries where you can indicate criteria and the parameters...

Page 9: ...on an Access Control List DIFFERS from that used in a Prefix List please see manual bintec Dm780 I Prefix Lists In the latter case this order is given by the value of the identifier The following com...

Page 10: ...tandard Access List 1 assigned to no protocol 1 PERMIT SRC 192 60 1 24 32 2 PERMIT SRC 0 0 0 0 0 Extended Access List 100 assigned to no protocol 1 PERMIT SRC 172 34 53 23 32 DES 0 0 0 0 0 Conn 0 PROT...

Page 11: ...identifier is within the 1 99 value range i e a Standard List The new submenu prompt together with its identifier shows it is a Standard List Example Access Lists config access list 1 Standard Access...

Page 12: ...f entry or access control as permit deny Configures type of entry or access control as deny source Source menu subnet or port description Sets a description for the current entry 2 4 2 1 ENTRY id DEFA...

Page 13: ...e concepts Address Wildcard mask Matching entry 172 24 0 127 255 255 0 255 Matches source addresses 172 24 x 127 regardless of the value of x E g 172 24 12 127 0 0 0 67 0 0 0 255 Matches source addres...

Page 14: ...ample Standard Access List 1 entry 1 description first entry Standard Access List 1 2 4 3 LIST Displays the information on the Access Control List configuration that is being edited i e information re...

Page 15: ...nt of which you wish to place the entry When you wish to place an entry at the end of the list lowest priority you need to specify the end option Syntax Standard Access List move entry entry_to_move e...

Page 16: ...tandard Access Control list configuration environment and returns to the main Access Control menu prompt Syntax Standard Access List exit Example Standard Access List 1 exit Access Lists config 2 5 Ex...

Page 17: ...t already exists means that the value of the parameter introduced will be modified Syntax Extended Access List entry id parameter value The configuration options for an Extended entry are as follows E...

Page 18: ...range 2 5 2 4 1 ENTRY id SOURCE ADDRESS Establishes the source IP address sentence A mask is used to indicate the selected range of addresses This ad dress may not be numbered meaning you can enter an...

Page 19: ...entry 3 source address interface serial0 0 Extended Access List 100 Caution An interface should only be configured as source in those access lists that are going to be associated to IPSec Since this...

Page 20: ...ecked with the entry To do this the active bits in the wildcard mask indicate the exact position of the address bit that must be checked by the entry Please check the double examples in the following...

Page 21: ...or UDP destination ports If the packet corresponds to the ICMP protocol and the entry is configured to carry out filtering over this protocol using command entry id protocol icmp this command establis...

Page 22: ...f you do not want to set a range simply enter two equal values Both protocol identifiers can take values between 0 and 255 The purpose of this command is to grant or deny access to various protocols S...

Page 23: ...2 ENTRY id TOS OCTET Establishes the Access Control sentence based on the value of the IP packet Type of Service byte This can take values between 0 and 255 You can also specify a bits mask that deter...

Page 24: ...is access list address filter entries Display the entries that match an ip address entry Display one entry of this access list 2 5 3 1 LIST ALL ENTRIES Displays all the Access Control List configurati...

Page 25: ...RT 1024 65535 2 PERMIT SRC 192 233 33 11 32 DES 0 0 0 0 0 Conn 0 PROT 33 102 3 DENY SRC 0 0 0 0 0 DES 0 0 0 0 0 Conn 0 Extended Access List 100 move entry 1 end Extended Access List 100 list all entri...

Page 26: ...identifier is within the 5000 9999 value range i e a Stateful List The new submenu prompt together with its identifier shows it is a Stateful Access List Example Access Lists config access list 5001...

Page 27: ...reates and modifies an entry or element in an Access Control List This command must always be entered followed by the register number identifier and a sentence A new entry is created whenever this com...

Page 28: ...IP protocol matching options protocol range Specify a protocol range peer2peer Match peer to peer traffic rate limit Match an specific rate limit in kbps conn limit Match an specific connection limit...

Page 29: ...p referer ebay com Command history Version Modification 11 1 1 This command was introduced as of version 11 1 2 2 6 3 4 ENTRY id APP DETECT HTTP URL Matches the HTTP URL session drawn by AFS app detec...

Page 30: ...st be configured for the command to be operative If no SSL session is detected when said app detect is configured there is no match Syntax Stateful Access List entry id app detect ssl Example Stateful...

Page 31: ...pecify the mask this is assumed to be the host mask This also allows you to select the destination address through range Syntax Stateful Access List entry id destination address ip mask mask Stateful...

Page 32: ...l parameter associated to each packet It is made up of a number that can be used to select classify and filter IP traffic By default all IP packets have an associated label value equal to 0 This value...

Page 33: ...teful Access List 5000 Some of the selected protocols allow for sub options such as peer2peer Stateful Access List 5000 entry 1 protocol peer2peer all All peer to peer traffic apple AppleJuice traffic...

Page 34: ...surpassed the packet is considered as matching this criterion Syntax Stateful Access List entry id rate limit limit burst Example Stateful Access List 5000 entry 1 rate limit 100 Stateful Access List...

Page 35: ...2000 Stateful Access List 5000 2 6 3 30 ENTRY id SOURCE UDP PORT Specifies a port or a range of UDP source ports The packet must be UDP to match this criterion Syntax Stateful Access List entry id sou...

Page 36: ...tate The possible states for a session are as follows invalid The session is in an invalid state ready to be deleted new The session is new this is the first packet for this session established The se...

Page 37: ...addresses themselves must be specified in a configuration file detailed below The device downloads the indic ated configuration file through the tftp protocol Use this command to specify the tftp ser...

Page 38: ...00 seconds If you don t specify any value the default updating interval is 1 day 2 Subsequently you can enter the http error page that you want to be displayed in cases where there has been an attempt...

Page 39: ...50000 2 7 Show Config Show Config is a configuration console tool PROCESS 4 that allows you to list the commands required to config ure a router from an empty configuration no conf The command can be...

Page 40: ...ntry 1 source address 172 24 51 57 255 255 255 255 Extended Access List 101 entry 1 destination address 172 60 1 163 255 255 255 255 Extended Access List 101 The configured access list will have the f...

Page 41: ...g the access List to the IPSec Protocol To complete the IPSec Security policies databases SPD you need to map the Access Control List elements to the selected Templates In this case since the Access C...

Page 42: ...dles disappear 3 1 1 HELP Lists the valid commands at the level where the router is programmed You can also use it after a specific command to list the available options Syntax Access Lists Example Ac...

Page 43: ...Cache size 32 entries Promotion zone 6 entries ACCESS LIST ENTRIES 1 PERMIT SRC 172 25 54 33 32 DES 192 34 0 0 16 Conn 0 PROT 21 Hits 0 2 DENY SRC 0 0 0 0 0 DES 0 0 0 0 0 Conn 0 Hits 0 3 PERMIT SRC 0...

Page 44: ...entries Promotion zone 6 entries ACCESS LIST ENTRIES 1 PERMIT SRC 172 25 54 33 32 DES 192 34 0 0 16 Conn 0 PROT 21 Hits 0 2 DENY SRC 0 0 0 0 0 DES 0 0 0 0 0 Conn 0 Hits 0 3 PERMIT SRC 0 0 0 0 0 DES 0...

Page 45: ...otocol Extended Access List 100 assigned to no protocol ACCESS LIST CACHE Hits 2 Miss 0 Cache size 32 entries Promotion zone 6 entries 1 PERMIT SRC 172 25 54 33 32 DES 192 34 0 0 16 Conn 0 PROT 21 Hit...

Page 46: ...51 57 32 DES 172 60 1 163 32 Conn 0 Hits 0 2 PERMIT SRC 0 0 0 0 0 DES 0 0 0 0 0 Conn 0 Hits 0 Extended Access List 103 assigned to no protocol ACCESS LIST ENTRIES 1 PERMIT SRC 1 0 0 0 8 DES 2 0 0 0 8...

Page 47: ...trol List from the cache processing the Access Control Lists Syntax Access Lists clear cache id Example Access Lists clear cache 100 Cache cleared Access Lists 3 1 4 SET CACHE SIZE Configures the cach...

Page 48: ...rol ftp 21 udp File Transfer Control telnet 23 tcp Telnet telnet 23 udp Telnet smtp 25 tcp Simple Mail Transfer smtp 25 udp Simple Mail Transfer nameserver 42 tcp Host Name Server nameserver 42 udp Ho...

Page 49: ...Class 4 RFC905 RC77 30 NETBLT Bulk Data Transfer Protocol RFC969 DDC1 31 MFE NSP MFE Network Services Protocol MFENET BCH2 32 MERIT INP MERIT Internodal Protocol HWB 33 SEP Sequential Exchange Protoco...

Page 50: ...C3 76 BR SAT MON Backroom SATNET Monitoring SHB 77 SUN ND SUN ND PROTOCOL Temporary WM3 78 WB MON WIDEBAND Monitoring SHB 79 WB EXPAK WIDEBAND EXPAK SHB 80 ISO IP ISO Internet Protocol MTR 81 VMTP VMT...

Page 51: ...io Transport Protocol Sautter 127 CRUDP Combat Radio User Datagram Sautter 128 SSCOPMCE Waber 129 IPLT Hollbach 130 SPS Secure Packet Shield McIntosh 131 PIPE Private IP Encapsulation within IP Petri...

Page 52: ...s ARGUS ariel1 Ariel1 ariel2 Ariel2 ariel3 Ariel3 aris ARIS arns A remote network server system as servermap AS Server Mapper asa ASA Message router object def asa appl proto asa appl proto asip webad...

Page 53: ...File System cimplex cimplex cisco fna cisco FNATIVE cisco phone Cisco IP Phones and PC Based Unified Communicators cisco sys cisco SYSMAINT cisco tdp Cisco TDP cisco tna cisco TNATIVE citrix Citrix IC...

Page 54: ...rol Protocol dcn meas DCN Measurement Subsystems dcp Device Control Protocol dctp dctp ddm dfm DDM Distributed File management ddm rdb DDM Remote Relational Database Access ddm ssl DDM Remote DB Acces...

Page 55: ...rior Gateway Routing Protocol elcsd errlog copy server daemon embl ndt EMBL Nucleic Data Transfer emcon EMCON emfis cntl EMFIS Control Service emfis data EMFIS Data Service encap Encapsulation Header...

Page 56: ...HELLO_PORT hems hems hip Host Identity Protocol hmmp ind HMMP Indication hmmp op HMMP Operation hmp Host Monitoring hopopt IPv6 Hop by Hop Option hostname NIC Host Name Server hp alarm mgr hp performa...

Page 57: ...Compression Protocol ipcserver Sun IPC server ipcv Internet Packet Core Utility ipdd ipdd ipinip IP in IP ipip IP within IP Encapsulation Protocol iplt IPLT ipp Internet Printing Protocol ippc Interne...

Page 58: ...y Access Protocol ldp LDP leaf 1 Leaf 1 leaf 2 Leaf 2 legent 1 Legent Corporation legent 2 Legent Corporation ljk login ljk login lockd LockD locus con Locus PC Interface Conn Server locus map Locus P...

Page 59: ...soft rome ms shuttle microsoft shuttle ms sql m Microsoft SQL Monitor msdp msdp msexch routing MS Exchange Routing msft gc Microsoft Global Catalog msft gc ssl Microsoft Global Catalog with LDAP SSL m...

Page 60: ...Who Is nlogin nlogin nmap nmap nmsp Networked Media Streaming Protocol nnsp nnsp nntp Network News Transfer Protocol notes Lotus Notes R novadigm Novadigm Enterprise Desktop Manager EDM novastorbakcu...

Page 61: ...word chg Password Change pawserv Perf Analysis Workbench pcanywhere Symantic PCAnywhere pcmail srv PCMail Server pdap Prospero Data Access Protocol peer2peer Match peer to peer traffic personal link p...

Page 62: ...e Remote Data Base rdp Reliable Data Protocol re mail ck Remote Mail Checking Protocol realm rusd ApplianceWare managment protocol remote kis remote kis remotefs rfs server repcmd repcmd repscmd repsc...

Page 63: ...SCO Web Server Manager 3 sco websrvrmgr SCO WebServer Manager scohelp scohelp scoi2odialog scoi2odialog scps SCPS sctp Stream Control Transmission Protocol scx proxy scx proxy sdnskmp SDNSKMP sdrp Sou...

Page 64: ...col snp Sitara Networks Protocol snpp Simple Network Paging Protocol sntp heartbeat SNTP HEARTBEAT socks Firewall Security Protocol softpc Insignia Solutions sonar sonar spmp spmp sprite rpc Sprite RP...

Page 65: ...l System tacnews TAC News talk talk tcf TCF tcp Transmission Control Protocol td replica Tobit David Replica td service Tobit David Service Layer teedtap teedtap tell send telnet Telnet Protocol tempo...

Page 66: ...vnc Virtual Network Computing vpp Virtual Presence Protocol vpps qua vpps qua vpps via vpps via vrrp Virtual Router Redundancy Protocol vsinet vsinet vslmp vslmp wap push WAP PUSH wap push http WAP P...

Page 67: ...ransfer Protocol xfer XFER Utility xnet Cross Net Debugger xns auth XNS Authentication xns ch XNS Clearinghouse xns courier Xerox xns idp XEROX NS IDP xns mail XNS mail xns time XNS Time Protocol xtp...