[f-nsp] UDP filtering question
David Miller
dmiller at metheus.org
Wed Apr 27 11:03:27 EDT 2011
Serveriron 4G, firmware 10.2.01oTI4
I'm encountering a very strange behavior when trying to allow snmp
queries between interfaces.
The first query makes it through to the target host, but subsequent
packets do not. I've confirmed this with netcat and tcpdump. After a
period of some minutes a timer resets and one more packet is allowed
through.
The interfaces look like this:
interface ve 120
ip access-group Access_to_Distribution in
ip address 192.168.120.5 255.255.255.0
ip address 192.168.121.5 255.255.255.0
ip nat inside
ip vrrp-extended vrid 120
backup
advertise backup
ip-address 192.168.120.254
vrid-group 1
ip vrrp-extended vrid 121
backup
advertise backup
ip-address 192.168.121.254
vrid-group 1
!
interface ve 140
ip address 192.168.140.5 255.255.255.0
ip nat inside
ip vrrp-extended vrid 140
backup
advertise backup
ip-address 192.168.140.254
vrid-group 1
!
ip access-list extended Access_to_Distribution
permit tcp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
permit tcp 192.168.120.0 0.0.0.255 host 192.168.140.65 eq 5308
permit udp host 192.168.120.30 192.168.140.0 0.0.0.255
permit udp host 192.168.120.13 192.168.140.0 0.0.0.255
permit icmp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 echo-reply
permit udp host 192.168.120.77 192.168.140.0 0.0.0.255 eq snmp
deny ip 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255
permit ip any any
Pointers welcome.
--- David
More information about the foundry-nsp
mailing list