Specifications

ManualsBrandsCisco ManualsComputer equipmentOL-4015-08

141

142

143

144

145

146

147

148

149

150

Chapter 5 Configuring Access Lists and Filtering GSS Traffic

Deploying GSS Devices Behind Firewalls

5-12

Cisco Global Site Selector Administration Guide

OL-5480-01

GSS Firewall Deployment Overview

In addition to the packet-filtering features of the access-list and access-group

commands (see the

“Filtering GSS Traffic Using Access Lists” section), you can

also deploy your GSS devices behind an existing firewall on your enterprise

network.

When you configure your GSS for deployment behind a firewall, you must allow

DNS traffic into the device. If you have multiple GSS devices deployed such that

traffic between the devices must pass through a firewall, configure the firewall to

allow inter-GSS communications and inter-GSS status reporting. Depending on

your GSS configuration, you can also allow other traffic to pass through the

firewall. This requirement depends on the GSS configuration (for example, if

using KAL-AP keepalives) and the ability to access certain GSS services through

the firewall (for example, SNMP).

The GSS does not support deployment of devices behind a NAT for inter-GSS

communication. The communication between the GSS devices cannot include an

intermediate device behind a NAT because the actual IP address of the devices is

embedded in the payload of the packets.

To configure your firewall to function with a GSS device, follow the guidelines

outlined in

Table 5-2 and Table 5-3 to permit inbound and outbound traffic

transmitted to and received from the specified GSS ports. In addition, use the

access-list and access-group commands to enable authorized GSS traffic to the

specified ports. By default, the GSS interface blocks all ports not

explicitly

permitted in your access list once you associate the access list with an

Ethernet interface.

Ta b l e 5-2 Inbound Traffic Going Through a Firewall to the GSS

Source Port

(Remote

Device)

Destination Port

(GSS)

Protocol Details

20–23 TCP FTP, SSH, and Telnet services

53 UDP, TCP GSS DNS server traffic

UDP GSS software reverse lookup and

“dnslookup” queries

123 123 UDP Network Time Protocol (NTP)

updates