Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
4
Replies

Reflexive access-list problems. How to allow everything and just VNC?

ttl-systems
Level 1
Level 1

‎10-07-2007 03:43 AM - edited ‎03-11-2019 04:21 AM

I have a cisco 877 router (Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1))

On the router I have servers directly connected to it and I have a sonicwall firewall also connected to it. Behind the sonic I have my LAN. How to allow everything to the Sonicwall so that sonicwalls VPN would work. Everything else works fine from LAN and from the servers.

The other question is that how to allow vnc connections with reflective acl? Or is this even possible?

I've tried something like this with no luck.

!There is also other permit lines on the list but do they really matter? no Denys except for the implicit at the very end.

ip access-list extended insideaccess

evaluate tcp-reflexive-temporary-list

evaluate udp-reflexive-temporary-list

permit ip any host 11.0.0.1

evaluate ip_sonicille

!Everything from the inside should be allowed out.

ip access-list extended outsideaccess

permit tcp any any reflect tcp-reflexive-temporary-list

permit udp any any reflect udp-reflexive-temporary-list

permit icmp any any echo

permit icmp any any echo-reply

permit ip any any

permit ip host 11.0.0.1 any reflect ip_sonicille

Labels:
0 Helpful
4 Replies 4

whisperwind
Level 1
Level 1

‎10-07-2007 05:55 AM

Help me understand what your trying to do? What is the goal?

I read your post and say to myself, why bother with elaborate ACLs when you have a firewall to explicitly permit traffic based on its rules.

Best practice is to use broad based ACLs to prescreen know offenders on the router.

0 Helpful

ttl-systems
Level 1
Level 1
In response to whisperwind

‎10-07-2007 10:45 PM

Access-lists are because the servers are directly on the Cisco router. Thats our DMZ solution. Not that good, I know but can this work the way I want?

What I want is to allow everything to 11.0.0.1 because this is the address to the sonicwall and I also want to allow vnc to certain addresses on the DMZ.

Should I just buy PIX or 5505 ASA?

0 Helpful

whisperwind
Level 1
Level 1
In response to ttl-systems

‎10-08-2007 05:26 AM

Well I am not a big of throwing money at a problem, yet you are faced with a design and a situation that does not allow you to make the changes you want very easily.

I would contact the provider that controls the router and get them to do what you desire.

Yes reflexive ACLs would work but I have yet to hear why them and just not an extended ACL.

Only if all else fails would I consider spending money to solve this.

0 Helpful

ttl-systems
Level 1
Level 1
In response to whisperwind

‎10-09-2007 01:08 AM

If I contact the provider who controls the router I talk to myself... ;)

Well I'll have to try with just extended access-lists with the established parameter. I had problems with DNS when I tried with extended access-lists but I didn't use any established commands.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card