use of the established command

[sixtoedsloth]

HI,

i have two networks with 801 isdn ddr routers. both ends have a unix host, which i need to be able to communicate (ftp and telnet). also we use netop to remote control pc's on the remote site.
however at present all remote pc's can "see" all hosts on our network. what are the options here. can i lock this down. i would like to be able to only allow connections into our network that have originated from our network

i hope that made sense

cheers,

russ

 

[routerman]

You have a couple of options depending on how secure you want to make this.

If you are looking for a high degree of security then the IOS firewall will fit your requirement. The filtering system allows anyone from the trusted side out and permits their return traffic. This applies to UPD and TCP based traffic.

For simply controlling access in a situation where you can trust users not to attempt hacking etc then access lists could be used. From the title of your thread you have already looked at use of the established keyword, thats fine for TCP based traffic, but what about UDP?

If you need to control UDP the same way then you need to look at reflexive access lists, which I think are only supported in the firewall IOS.

If you only need to pass TCP with basic security then youruse of the established keyword is fine.

 

[routerman]

To update my last post, I had a look at a router I have here, a 2611 with basic IP feature set, 12.0.7 IOS. It supports some of the reflexive access list commands, but not all!!

I looked on cisco.com software advisor, this feature should be available in most IOS feature sets.

 

[rcasta]

What are reflexive acls used for?

any links where I could read about this?

thank you,

 

[tschouten]

Look at this to answer your question Rcasta.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00800a8531.html

 

[tschouten]

oops posted the wrong site
here look at this

http://cco-rtp-1.cisco.com/en/US/pr...cts_tech_note09186a00800a5b9a.shtml#reflexive

 

[sixtoedsloth]

HI,

this has always confused me, because i know enough about cisco to get ddr isdn working and debug it etc.

BUT..

do i have to buy this firewall stuff or is it there already?

btw, tschouten that last link was very interesting, i shall read it again more thouroughly tommorow at work

Russ

 

[tschouten]

Hi Sloth of the Six toes

To answer your question, it depends on what IOS you have, some of them support the Firewall Feature set. And some of them don't. If the IOS is above 11.3 and IP PLUS you most likely have support for the Firewall Feature Set.

Cisco prides themself on their software, so of course there are thousands of different IOS's available for every device (or at least it seems that way). Some of the IOS's support different things. If you are registered under a CCO contract of some form you can go to the Cisco website and research which IOS for your machine supports what software feature. (It's a nightmare in itself trying to keep up with what was supported under what IOS level...eggghh).

 

[sixtoedsloth]

i managed to get a login to cisco's site and i see what you mean! i am more confused now than when i started

i have now become an ostrich :>

thanks for your help. most usefull