Reflexive access-list problems. How to allow everything and just VNC?

Unanswered Question
Oct 7th, 2007

I have a cisco 877 router (Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1))

On the router I have servers directly connected to it and I have a sonicwall firewall also connected to it. Behind the sonic I have my LAN. How to allow everything to the Sonicwall so that sonicwalls VPN would work. Everything else works fine from LAN and from the servers.

The other question is that how to allow vnc connections with reflective acl? Or is this even possible?

I've tried something like this with no luck.

!There is also other permit lines on the list but do they really matter? no Denys except for the implicit at the very end.

ip access-list extended insideaccess

evaluate tcp-reflexive-temporary-list

evaluate udp-reflexive-temporary-list

permit ip any host 11.0.0.1

evaluate ip_sonicille

!Everything from the inside should be allowed out.

ip access-list extended outsideaccess

permit tcp any any reflect tcp-reflexive-temporary-list

permit udp any any reflect udp-reflexive-temporary-list

permit icmp any any echo

permit icmp any any echo-reply

permit ip any any

permit ip host 11.0.0.1 any reflect ip_sonicille

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
whisperwind Sun, 10/07/2007 - 05:55

Help me understand what your trying to do? What is the goal?

I read your post and say to myself, why bother with elaborate ACLs when you have a firewall to explicitly permit traffic based on its rules.

Best practice is to use broad based ACLs to prescreen know offenders on the router.

ttl-systems Sun, 10/07/2007 - 22:45

Access-lists are because the servers are directly on the Cisco router. Thats our DMZ solution. Not that good, I know but can this work the way I want?

What I want is to allow everything to 11.0.0.1 because this is the address to the sonicwall and I also want to allow vnc to certain addresses on the DMZ.

Should I just buy PIX or 5505 ASA?

whisperwind Mon, 10/08/2007 - 05:26

Well I am not a big of throwing money at a problem, yet you are faced with a design and a situation that does not allow you to make the changes you want very easily.

I would contact the provider that controls the router and get them to do what you desire.

Yes reflexive ACLs would work but I have yet to hear why them and just not an extended ACL.

Only if all else fails would I consider spending money to solve this.

ttl-systems Tue, 10/09/2007 - 01:08

If I contact the provider who controls the router I talk to myself... ;)

Well I'll have to try with just extended access-lists with the established parameter. I had problems with DNS when I tried with extended access-lists but I didn't use any established commands.

Actions

This Discussion