Cisco Cisco ASR 5000
Firewall-and-NAT Policy Configuration Mode Commands
▀ access-rule
▄ Command Line Interface Reference, StarOS Release 18
5102
trigger open-port { port_number | range start_port to end_port } direction { both
| reverse | same }
| reverse | same }
Important:
In 9.0 and later releases, this keyword is Stateful Firewall license dependent.
Optionally a port trigger can be specified to be used for this rule to limit the range of auxiliary data
connections (a single or range of port numbers) for protocols having control and data connections (like FTP).
The trigger port will be the destination port of an association which matches a rule.
connections (a single or range of port numbers) for protocols having control and data connections (like FTP).
The trigger port will be the destination port of an association which matches a rule.
port_number
: Specifies the auxiliary port number to open for traffic, and must be an integer from 1
through 65535.
range start_port to end_port
: Specifies the range of port numbers to open for subscriber
traffic.
start_port
must be an integer from 1 through 65535.
end_port
must be an integer from 1 through 65535, and must be greater than
start_port
.
direction { both | reverse | same }
: Specifies the direction from which the auxiliary
connection is initiated. This direction can be same as the direction of control connection, or the
reverse of the control connection direction, or in both directions.
reverse of the control connection direction, or in both directions.
both
: Provides the trigger to open port for traffic in either direction of the control connection.
reverse
: Provides the trigger to open port for traffic in the reverse direction of the control
connection (from where the connection is initiated).
same
: Provides the trigger to open port for traffic in the same direction of the control
connection (from where the connection is initiated).
Usage
Use this command to add access ruledefs to the Firewall-and-NAT policy and configure the priority and
actions for rule matching.
The policy specifies the rules to be applied on calls. The ruledefs in the policy have priorities, based on which
priority matching is done.
For Stateful Firewall, the port trigger configuration is optional, and can be configured only if a rule action is
permit. When a rule is matched and the rule action is permit, if the trigger is configured, the appropriate
check is made. The trigger port will be the destination port of an association that matches the rule. Multiple
triggers can be defined for the same port number to permit multiple auxiliary ports for subscriber traffic.
When a rule is matched and if the rule action is deny, the action taken depends on what is configured in the
specified charging action. If the flow exists, flow statistics are updated and action is taken as configured in
the charging action:
actions for rule matching.
The policy specifies the rules to be applied on calls. The ruledefs in the policy have priorities, based on which
priority matching is done.
For Stateful Firewall, the port trigger configuration is optional, and can be configured only if a rule action is
permit. When a rule is matched and the rule action is permit, if the trigger is configured, the appropriate
check is made. The trigger port will be the destination port of an association that matches the rule. Multiple
triggers can be defined for the same port number to permit multiple auxiliary ports for subscriber traffic.
When a rule is matched and if the rule action is deny, the action taken depends on what is configured in the
specified charging action. If the flow exists, flow statistics are updated and action is taken as configured in
the charging action:
If the billing action is configured as Event Data Record (EDR) enabled, an EDR is generated.
If the content ID is configured, UDR information is updated.
If the flow action is configured as “terminate-flow”, the flow is terminated instead of just discarding the
packet.
If the billing action, content ID, and flow action are not configured, no action is taken on the dropped packets.
Important:
For Stateful Firewall, only the terminate-flow action is applicable if configured in the specified
charging action.
Allowing/dropping of packets is determined in the following sequence: