[164833] in North American Network Operators' Group
Re: which firewall product?
daemon@ATHENA.MIT.EDU (Kenny Kant)
Mon Aug 5 05:46:04 2013
In-Reply-To: <CAP-guGV66EJebHOhkOuxAo7OcYbSt_Asa_nQSCysBdBQiq2eBw@mail.gmail.com>
From: Kenny Kant <akennykant@gmail.com>
Date: Mon, 5 Aug 2013 04:45:51 -0500
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If the tunnel is to be terminated on this firewall device I would say look i=
nto a Mikrotik box. Alternatively you could make Cisco's IOS firewall / zon=
e based firewall do this. So look into an ISR?
Sent from my iPad
On Jul 30, 2013, at 3:00 PM, William Herrin <bill@herrin.us> wrote:
> Hi folks,
>=20
> I'm trying to identify a firewall appliance for one of my customers.
> The wrinkle is: it has to be able to inspect packets inside an IPIP
> tunnel and accept/reject based on IP address, TCP port number and
> standard things like that. On the packet carried *inside* the IPIP
> tunnel packet.
>=20
>=20
> =46rom what I can tell, the Cisco ASA can't do this.
>=20
> Linux iptables can (with the u32 match module) but the customer wants
> an appliance, not a server.
>=20
> What appliances do you know of that can do this? Is there a different
> Cisco box? A Juniper firewall? Anything else?
>=20
> Thanks in advance,
> Bill Herrin
>=20
>=20
> --=20
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>=20
