![[Top]](../images/home.jpg){kind=small}
![[Contents]](../images/contents.jpg){kind=small}
![[Prev]](../images/previous.jpg){kind=small}
![[Next]](../images/next.jpg){kind=small}
![[Last]](../images/index.jpg){kind=small}
This appendix has the following sections:
Introduction to Secure Access Firewalls
Secure Access is a software option available for the MAX TNT. To purchase Secure Access, contact your Ascend distributor.
Uploading Firewalls
The Secure Access User's Guide explains how to use the Secure Access Manager (SAM) application to create a Firewall and load Firewalls. This section provides some background information about using the SAM to log into the MAX TNT and upload a Firewall. Permissions requirements
The SAM has several command-line and permissions requirements that must be met to successfully load a Firewall. When loading to the MAX TNT, the SAM prompts for a user name and password, and uses the specified name and password to select a User profile. Or, if the MAX TNT unit allows access without a password, the SAM uses the default User profile. The User profile must meet the following requirements:
Using CLI
FIREWALL my-firewallYou apply the Firewall to an interface by specifying this name, so the name must be unique across both Filter and Firewall profiles. If you create a duplicate name, either by uploading a Firewall or changing the name in a Filter or Firewall profile, an error message appears.
name* = my-firewall
version = 2
data = [ ACAfiwgAAAAAAAADE2RmZDTiz0zOLeDkBAAFTVl4DAAAAA== ]
The Version and Data parameters are intended to be set only by the SAM. The Version parameter specifies the Firewall version; if you change its value in the Firewall profile, one of the following messages will probably appear:
error: Base 64 decode failedThe Data parameter contains information about the Firewall definition. If you list the Data parameter separately, it is displayed as a sparse array. For example:
error: Firewall does not load properly (corrupted?)
admin> list dataThe SAM File Save As dialog box contains a type labeled as follows:
data[0] = ACAfiwgAAAAAAAADE2RmZDTiz0zOLeDkBAAFTVl4DAAA
data[33] = AA==
data[66] =
...
TNT Profile Files (*.prf)This type represents a set of commands that can be directly piped into a MAX TNT command-line session to store the Firewall manually.
admin> FWALLversionThe output shows all Firewall versions supported in the current code. The version numbers are separated by spaces. The SAM uses this information to ensure that Firewalls you upload are supported.
1 2
The MAX TNT also has a FWALLdblog diagnostic-level command for displaying Firewall messages. For example:
admin> FWALLdblogBy default, the SAM causes a message to be generated for all packets blocked by a Firewall. Firewall messages are sent to the logging mechanism configured in the Log profile, such as Syslog or the console. (For details, see the MAX TNT Reference Guide.)
Applying a Firewall to an interface
For a Firewall to take effect, you must apply it to a LAN or WAN interface in the MAX TNT. In either case, settings in the Answer-Defaults profile and the relevant Connection profile affect application of the Firewall. How the Answer-Defaults profile settings are used
Following are the Answer-Defaults settings related to Firewalls, shown with their default settings:
ANSWER-DEFAULTSIf the MAX TNT uses a local Connection profile for authentication, it does not use Firewalls set in the Answer-Defaults Session-Info subprofile.
session-info
call-filter = ""
data-filter = ""
filter-persistence = no
If the MAX TNT relies on RADIUS for authentication, and the caller's RADIUS profile applies a filter or Firewall (or both), the filter or Firewall specified in the user profile is applied to each incoming packet and the MAX TNT does not use those set in the Answer-Defaults Session-Info subprofile.
If the MAX TNT relies on RADIUS for authentication, and the caller's RADIUS profile does not apply a filter or Firewall, and the Use-Answer-For-All-Defaults parameter is set to Yes in the Answer-Default profile, filters or Firewalls set in the Answer-Defaults Session-Info subprofile are applied to each incoming packet.
Applying a Firewall to a WAN interface
Following are the parameters related to applying a Firewall to a WAN interface (shown with their default settings):
CONNECTION stationFollowing is an example of applying a Firewall to a WAN interface:
session-options
call-filter = ""
data-filter = ""
filter-persistence = no
admin> read conn jchu
CONNECTION/jchu read
admin> list session
call-filter = ""
data-filter = ""
filter-persistence = no
idle-timer = 120
ts-idle-mode = no-idle
ts-idle-timer = 120
admin> set data-filter = my-firewall
admin> set filter-persistence = yes
admin> writeSee Filter persistence for Firewalls for information about applying a Firewall as a Call-Filter.
CONNECTION/jchu written
Applying a Firewall to a LAN interface
A Firewall on an Ethernet interface affects which packets are allowed to reach the Ethernet or leave the Ethernet for another interface. A Firewall applied to the Ethernet interface takes effect immediately. If you change the Firewall definition, the changes apply as soon as you load the new Firewall. Following is the parameter related to applying a Firewall to a LAN interface (shown with its default setting):
ETHERNET {shelf-N slot-N N }
filter-name= ""
Following is an example of applying a Firewall to a local network interface:
admin> dir ether
8 12/11/1996 15:58:08 { shelf-1 controller 1 }
16 12/18/1996 16:17:17 { shelf-1 slot-12 1 }
16 12/18/1996 16:17:17 { shelf-1 slot-12 2 }
16 12/18/1996 16:17:17 { shelf-1 slot-12 3 }
16 12/18/1996 16:17:17 { shelf-1 slot-12 4 }
admin> read ether {1 12 1}
ETHERNET/{ shelf-1 slot-12 1 } read
admin> list
interface-address* = { shelf-1 slot-12 1 }
mac-address = 00:c0:7b:69:94:38
ether-if-type = utp
filter-name = ""
admin> set filter-name = my-firewall
admin> write
ETHERNET/{ shelf-1 slot-12 1 } written
Copyright © 1998, Ascend Communications, Inc. All rights reserved.