Is there a way to create a filter that allows *all* traffic from any
computer on the internal network (LAN) to a specific outside IP address?

I know, it creates a hole through the firewall, but I'm looking for an
immediate short-term fix or turnaround to let certain traffic pass to a
specific server in another location.

I just can't seem to decipher what the filter should look like, if it's
even possible to set up, because the address is constant but traffic
could be on any ports.

Also, can I get any insight about opening up appropriate ports for Cisco
VPN client using UDP? The client doesn't seem to give me port
info/options if UDP is selected (as opposed to using TCP/IP which
indicates port number, but I don't have a choice in the client
configuration.)

These are two separate issues and the first is most critical.

Thanks.

In article <SPVMk.4344$Fg1.2820@kovat.provo.novell.com>, De wrote:
> Is there a way to create a filter that allows *all* traffic from any
> computer on the internal network (LAN) to a specific outside IP address?

Yes, and while it is quite easy, you are of course better off to learn what
traffic is needed and set up just the required traffic.

Set up a pair of filter exceptions for this.
1. From private to public interface, All IP, source IP =host, source ip
addresss=internal server address.
2. From public to private, All IP, source=any, dest=host, dest. Ip
address=internal server address.
>
> I know, it creates a hole through the firewall, but I'm looking for an
> immediate short-term fix or turnaround to let certain traffic pass to a
> specific server in another location.

Understood.
>
> I just can't seem to decipher what the filter should look like, if it's
> even possible to set up, because the address is constant but traffic
> could be on any ports.

Don't specify ports.
>
> Also, can I get any insight about opening up appropriate ports for Cisco
> VPN client using UDP?

Cisco VPN should be using UDP port 500 and I think 10000 for IKE VPN
traffic. (May depend on the version of the VPN).

> The client doesn't seem to give me port
> info/options if UDP is selected (as opposed to using TCP/IP which
> indicates port number, but I don't have a choice in the client
> configuration.)
>
You can use a number of techniques to find the ports needed, including
filter debug on the server, PKTSCAN on the server to capture packets, and
Wireshark on the VPN pc to capture packets.

> These are two separate issues and the first is most critical.
>
The first it the most easy, though the second is also easy.

Have a look at the URL below. You might be interested in my book on BMgr
filtering.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Craig Johnson wrote:
> In article <SPVMk.4344$Fg1.2820@kovat.provo.novell.com>, De wrote:
>> Is there a way to create a filter that allows *all* traffic from any
>> computer on the internal network (LAN) to a specific outside IP address?
>
> Yes, and while it is quite easy, you are of course better off to learn what
> traffic is needed and set up just the required traffic.
>
> Set up a pair of filter exceptions for this.
> 1. From private to public interface, All IP, source IP =host, source ip
> addresss=internal server address.
> 2. From public to private, All IP, source=any, dest=host, dest. Ip
> address=internal server address.
>> I know, it creates a hole through the firewall, but I'm looking for an
>> immediate short-term fix or turnaround to let certain traffic pass to a
>> specific server in another location.
>
> Understood.
>> I just can't seem to decipher what the filter should look like, if it's
>> even possible to set up, because the address is constant but traffic
>> could be on any ports.
>
> Don't specify ports.
>> Also, can I get any insight about opening up appropriate ports for Cisco
>> VPN client using UDP?
>
> Cisco VPN should be using UDP port 500 and I think 10000 for IKE VPN
> traffic. (May depend on the version of the VPN).
>
>> The client doesn't seem to give me port
>> info/options if UDP is selected (as opposed to using TCP/IP which
>> indicates port number, but I don't have a choice in the client
>> configuration.)
>>
> You can use a number of techniques to find the ports needed, including
> filter debug on the server, PKTSCAN on the server to capture packets, and
> Wireshark on the VPN pc to capture packets.
>
>> These are two separate issues and the first is most critical.
>>
> The first it the most easy, though the second is also easy.
>
> Have a look at the URL below. You might be interested in my book on BMgr
> filtering.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
This was one of those out-of-left-field need-it-yesterday things, it
seems. My least-favorite way to work.

Re. the Cisco VPN, UDP port 500 is already allowed, so it's probably
10000 that is blocking and causing it to fail.

When you use the terms "host" and "internal server address" above, (I
just want to be sure I understand you properly) the "host" is the server
outside and the "internal server address" is my BM server?

Thank you for the help.

In article <%hZMk.4360$Fg1.3794@kovat.provo.novell.com>, De wrote:
> When you use the terms "host" and "internal server address" above, (I
> just want to be sure I understand you properly) the "host" is the server
> outside and the "internal server address" is my BM server?
>
The host is on whichever side you choose. In my reference, I meant the you
should choose the 'host' option as opposed to Any, or Network.

Depending on what you are configuring, host could mean an external pc
sending requests into your system, an internal host sending requests out,
or a host on either side sending replies back to the other side. All
depends on what you are configuring for one particular filter exception to
deal with a packet flowing in the intended direction.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Craig Johnson wrote:
> In article <%hZMk.4360$Fg1.3794@kovat.provo.novell.com>, De wrote:
>> When you use the terms "host" and "internal server address" above, (I
>> just want to be sure I understand you properly) the "host" is the server
>> outside and the "internal server address" is my BM server?
>>
> The host is on whichever side you choose. In my reference, I meant the you
> should choose the 'host' option as opposed to Any, or Network.
>
> Depending on what you are configuring, host could mean an external pc
> sending requests into your system, an internal host sending requests out,
> or a host on either side sending replies back to the other side. All
> depends on what you are configuring for one particular filter exception to
> deal with a packet flowing in the intended direction.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>

Thanks for your help; it's just been too long since I've even looked at
it & if I had recalled correctly, could have avoided some of the dumb
questions.

I got it now; the mistake I was making is about as simple as it gets,
in that I was only opening up in one direction instead of both.

Appreciate your help & patience, as always.


Re. the Cisco VPN client, it seems to me that there's minimal risk in
doing the same thing (opening up all traffic to & from the specific IP
address) rather than trying to figure which ports may be used, just
opening up all traffic to the one address, since presumably the VPN
client itself should provide enough security. Do you see any inherent
flaw in doing so?

Otherwise, I might find myself in a situation where the client
authenticates but the user has trouble doing something relatively
routine or unanticipated like FTP'ing files, I think.

In article <Q3fNk.4478$Fg1.1793@kovat.provo.novell.com>, De wrote:
> Re. the Cisco VPN client, it seems to me that there's minimal risk in
> doing the same thing (opening up all traffic to & from the specific IP
> address) rather than trying to figure which ports may be used, just
> opening up all traffic to the one address, since presumably the VPN
> client itself should provide enough security. Do you see any inherent
> flaw in doing so?

Yes, I do think it is a flaw to open everything up. Especially as it is
so simple to see what it being filtered and tailor a filter exception to
the exact traffic. All you need is some filter debug work on the server
or PKTSCAN (less risk of server crash) on the server to see the packets.
I do filter debug all the time, and I've documented it in my BMgr
filtering book.

Some Cisco VPN clients may not use UDP port 10000, but some other port.
I found Cisco using 10000 about 8-10 years ago, but things have changed
since thern. Novell uses 4500 for their IKE VPN client.
>
> Otherwise, I might find myself in a situation where the client
> authenticates but the user has trouble doing something relatively
> routine or unanticipated like FTP'ing files, I think.

Again, it's easy to see what traffic is filtered, and tailor custom
exceptions as needed. If the traffic is supposed to be through the VPN,
then no additional exceptions will be needed once the VPN is connected.


Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***