RE: (ASCEND) Adding Filters to TNT MAX

["Buckner, John" <BucknerJohn@bfusa.com>]

Ken - Did you ever get your filters to work?  

I am trying to do something similar and am having problems.  Any tips for a
beginner in Ascend filters.  I am familiar w/ Cisco filters, but is the mask
'backwards' on the Ascend?  I am trying to limit a users ability to go do
other subnets using an Ethernet filter.

I am using RADIUS to pass the Filter-ID Attribute to the Ascend.  I guess
that this is working.

Thanks

John Buckner


-----Original Message-----
From: Ken Kirchner [mailto:kenk@shreve.net]
Sent: Tuesday, February 01, 2000 1:54 AM
To: ascend-users@bungi.com
Subject: (ASCEND) Adding Filters to TNT MAX



Hello all,

	We just set up some filters on our 3Com modem pool to protect our
core
network from the prying eyes of our dial-up customers.  Now we would
like to do the same on our TNT MAX unit.  Basically the filters match
ports with authorized machines.  This is only for tcp ports <1024.  We
allow web, ftp, mail, etc, and deny everything else below 1024.  This
same type of filter has always been in place on our border router to
protect us from outside attacks.

On the 3Com units we created 3 filters (one for admin use, one for
employee use, and one for everyone else). By default everyone gets the
'everyone one else' filter.  Using RADIUS attributes we can assign the
admin and employee filters to those users who would require it ( ex:
Filter-ID = "admin.in").  This seems to be working well.

Now to my problem.  For some odd reason (I think so) Ascend/Lucent
limits a single filter to no more than 12 rules (12 incoming and 12
outgoing so its actually a total of 24, but I digress).  Our current
scheme uses far in excess of 12 rules.  I *think* it is possible to
apply multiple filters to users, but I am not sure how this would be
done through RADIUS, perhaps multiple Filter-ID = "" statements on a
RADIUS profile?

I thought about having one filter for ftp, another for web, another for
mail, etc... but then I would have to go back and chop up the lists on
the 3Com gear to get it to use the same filter names as the MAX (for the
sake of RADIUS).  Do-able, but there must be a better way!  Is there
some way around this 12 rule limit?

Getting this to work with the 3Com method really throws a wrench into
things.  I -assume- that the 3Com box will ignore the default filter if
it receives another filter via RADIUS.  Wouldn't be very helpful if it
did not.  I hope that the Ascend also works this way.  If not, what is
the order of preference for the filters?

Also, could someone check my sanity on this filter:

valid = yes
forward = yes
type = ip-filter
ip-filter{
		source-address-mask = 0.0.0.0
		source-address = 0.0.0.0
		dest-address-mask = 255.255.255.0
		dest-address = 208.206.76.5
		dst-port-cmp = eql
		dest-port = 21
	  }

that's from memory, so bear with me.  Anything not mentioned should be
set to default.  I would apply this filter to a user and hope that it
would analyze all ip packets, see if they are headed to 208.206.76.5, if
they are, see if they are headed for port 21, if they are, let it on
through.  Otherwise it should fail and fall to the next rule (only 11
left :-(  ).	

Thanks to all those who had the patience enough to read this far, and
many more thanks to those who will help!

-Ken
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>