Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!uupsi!sunic!ugle.unit.no!spurv.runit.sintef.no!he
From: he@idt.unit.no (Havard Eidnes)
Newsgroups: comp.dcom.sys.cisco
Subject: Re: Cisco Security - trouble with access lists and IPSO
Message-ID: <1991Apr5.184726.15684@ugle.unit.no>
Date: 5 Apr 91 18:47:26 GMT
References: <1991Apr2.225108.18647@eik.ii.uib.no>
Sender: he@spurv.runit.sintef.no (Havard Eidnes)
Organization: Computing center at the University of Trondheim, Norway
Lines: 16

In article <1991Apr2.225108.18647@eik.ii.uib.no>, robmack@eik.ii.uib.no (Robert MacKinnon ) writes:
|>   How do I setup the AGS+ to have the 20 and 21 interfaces reject packets
|> if they originate from a PARTICULAR INTERFACE and not based on IP address?

I can think of no easy way to do this, sorry. What you're trying to do is to
connect a "secure" network to an "unsecure" network, and still be able to pass
some traffic between these networks. I do not think that the IP security options
were designed to solve that kind of problem. What remains is a carefully crafted
access list (I may help you if that's desired), turn off IP source routing on the
cisco, and trust that nobody "out there" will pass you a datagram with source
129.177.2[01].x. If I am not much mistaken, that can only be done from the nearby
network (129.177.30.x) since you have turned off processing of source routing
through the cisco (no?). Anyway, you will not route that packet back to the "fake"
source because you have turned off passing of source routed datagrams in the cisco.

- Havard		(one of the two) Uninett TCP/IP technical manager