12-26
Cisco ONS 15454 SDH Reference Manual, R5.0
April 2008
Chapter12 CT C Network Connectivity
12.5 External Firewalls
The following access control list (ACL) example shows a firewall configuration when the proxy server
gateway setting is not enabled. In the example, the CTC workstatio n's address is 192.168.10.10. and the
ONS 15454 SDH address is 10.10.10.100 The firewall is attached to the GNE CTC, so inbound is CTC
to the GNE and outbound is from the GNE to CTC. The CTC Common Object Request Broker
Architecture (CORBA) Standard constant is 683 and the TCC CORBA Default TCC Fixed (57790).
access-list 100 remark *** Inbound ACL, CTC -> NE ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 any host 10.10.10.100 eq www
access-list 100 remark *** allows initial contact with ONS 15454 SDH using http (port 80)
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 683 host 10.10.10.100 eq 57790
access-list 100 remark *** allows CTC communication with ONS 15454 SDH GNE (port 57790)
***
access-list 101 remark *** Outbound ACL, NE -> CTC ***
access-list 101 remark
access-list 101 permit tcp host 10.10.10.100 any host 192.168.10.10 eq 683
access-list 101 remark *** allows alarms etc., from ONS 15454 SDH (random port) to the CTC
workstation (port 683) ***
access-list 100 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established
access-list 101 remark *** allows ACKs from ONS 15454 SDH GNE to CTC ***
The following ACL example shows a firewall configuration when the proxy server gateway setting is
enabled. As with the first example, the CTC workstation address is 192.168.10.10 and the
ONS 15454 SDH address is 10.10.10.100. The firewall is attac hed to the GNE CTC, so inbound is CTC
to the GNE and outbound is from the GNE to CTC. CTC CORBA Standa rd constant (683) and TCC
CORBA Default TCC Fixed (57790).
access-list 100 remark *** Inbound ACL, CTC -> NE ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 any host 10.10.10.100 eq www
access-list 100 remark *** allows initial contact with the 15454 SDH using http (port 80)
***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 683 host 10.10.10.100 eq 57790
access-list 100 remark *** allows CTC communication with the 15454 SDH GNE (port 57790)
***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 683 host 10.10.10.100 eq 1080
access-list 100 remark *** allows CTC communication with the 15454 SDH GNE proxy server
(port 1080) ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 683 host 10.10.10.100 range 10240 10495
access-list 100 remark *** allows CTC communication with the 15454 SDH ENEs (ports 10240 -
10495) via the GNE proxy server
***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 established
access-list 100 remark *** allows ACKs from CTC to the 15454 SDH GNE ***
access-list 101 remark *** Outbound ACL, NE -> CTC ***
10240-12287 Proxy client D
57790 Default TCC listener port OK
1. D = deny, NA = not applicable, OK = do not deny
Table12-9 Ports Used by the TCC2/TCC2P (continued)
Port Function Action1