[Ascend] Filter Problem

Tue Apr 2 06:42:21 CST 2002

Hello Guys,
I have a little problem with the TNT filters that make me a big headache :(

I created a couple of filter to deny telnet access from any and only permit for one subnet (200.42.0.0/24)

This filters works perfectly but only for 10 or 15 minutes! after that I lost completly managment ( telnet, ping, etc ) to my TNT (200.42.95.164)

I'm running soft version 7.2.4

This are the filters:

TnTLimaTaSa-CI4#dir filter
   535  03/27/2002 19:13:34  DenyTelnet

INPUT:

1) valid-entry = yes
    forward = yes
    protocol = 6
    source-address-mask = 255.255.255.0		| SubNet
    source-address = 200.42.0.0 			|
    dest-address-mask = 255.255.255.255
    dest-address = 200.42.95.164			| TNT
    Src-Port-Cmp = gtr
    source-port = 1024
    Dst-Port-Cmp = eql
    dest-port = 23
    tcp-estab = no

2) valid-entry = yes
    forward = no
    protocol = 6
    source-address-mask = 0.0.0.0
    source-address = 0.0.0.0
    dest-address-mask = 255.255.255.255
    dest-address = 200.42.95.164
    Src-Port-Cmp = none
    source-port = 0
    Dst-Port-Cmp = eql
    dest-port = 23
    tcp-estab = no

3) valid-entry = yes
    forward = yes
    protocol = 0
    source-address-mask = 0.0.0.0
    source-address = 0.0.0.0
    dest-address-mask = 0.0.0.0
    dest-address = 0.0.0.0
    Src-Port-Cmp = none
    source-port = 0
    Dst-Port-Cmp = none
    dest-port = 0
    tcp-estab = no

OUTPUT:

1) valid-entry = yes
    forward = yes
    protocol = 0
    source-address-mask = 0.0.0.0
    source-address = 0.0.0.0
    dest-address-mask = 0.0.0.0
    dest-address = 0.0.0.0 
    Src-Port-Cmp = none
    source-port = 0
    Dst-Port-Cmp = none
    dest-port = 0
    tcp-estab = no

The filter above called DenyTelnet is apply to my FastEthernet interface:

TnTLimaTaSa-CI4#read ethernet { 1 3 4 }
ETHERNET/{ shelf-1 slot-3 4 } read
TnTLimaTaSa-CI4#list
[in ETHERNET/{ shelf-1 slot-3 4 }]
interface-address* = { shelf-1 slot-3 4 }
link-state-enabled = no
enabled = yes
ether-if-type = utp
filter-name = DenyTelnet
duplex-mode = full-duplex

Somebody could help on it? I really appreciate any answer.

Best Regards,

Alejandro J. Noriega 
Depto. Ingeniería De Redes 
Pr!ma S.A 
Ciudad Internet \ Datamarkets
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shadowknight.real-time.com/pipermail/rte-ascend/attachments/20020402/4b272cf9/attachment.html