[AusNOG] ACL question
Alex Samad
alex at samad.com.au
Sat Dec 3 09:50:20 EST 2016
Hi
Let me expand a bit.
I have 2 sets of routers that have 3-4 ISP connected and I apply very broad
ACL's here. They are routeros box.
They both conect to a shared vlan and then onto a single ASA5520.
I want to allow tcp packets that are part of a stream ... in through these
routers.
I can't used established because in routeros it depens on the underlying
firewall seeing the initial syn packet or atleast seeing an outbound tcp
packet ( as I allow all out).
Working from memory.
initial packet -> Syn
initial reply -> syn,ack
3rd is syn,ack
every other packet (valid) has a ack
end is FIN (does it have an ack ?)
does RST have an ack ?
so if I allow
ack
fin
rst
packets through that should cover all the tcp packets after the initial syn
Alex
On 3 December 2016 at 00:04, Tom Storey <tom at snnap.net> wrote:
> If its a Cisco, might a reflexive ACL help?
>
> On 2 December 2016 at 02:51, Alex Samad <alex at samad.com.au> wrote:
>
>> Hi
>>
>> having a blonde moment.
>>
>> I want to set an ACL to allow TCP streams through a firewall where there
>> is asymmetric routing in place. So a stream that might be initiated via a
>> different path, comes via this router mid stream
>>
>> If I allow tcp packets that have ACK and/or RST. that should cover all
>> packets in a tcp stream after the initial hand shake.
>>
>>
>> Alex
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161203/eaea2fda/attachment.html>
More information about the AusNOG
mailing list