Packet Filtering Firewall Configuration Example - HP A6600 Configuration Manual

Packet filtering firewall configuration example

Network requirements
As shown in
The internal network of a company is connected to GigabitEthernet 1/0/1 of the router, and the
•
internal users access the Internet through Serial 2/1/1 of the router.
The company provides WWW, FTP, and Telnet services to the outside. The internal subnet of the
•
company is 129.1.1.0, on which the internal FTP server address is 129.1.1.1, the Telnet server
address is 129.1.1.2, the internal WWW server address is 129.1.1.3, and the public address of
the company is 20.1.1.1. NAT is enabled on the router so that hosts on the internal network can
access the Internet and external hosts can access the internal servers.
By using the firewall feature, the company intends to achieve the following aim: only specific users
•
on external networks are given access to the internal servers, and only specific hosts on the internal
network are permitted to access external networks.
Assume that the IP address of a specific external user is 20.3.3.3.
•
Figure 122 Network diagram for packet filtering firewall configuration
129.1.1.1/24 129.1.1.2/24
FTP server Telnet server
Internal host
129.1.1.4/24
Configuration procedure
# Enable the firewall function on the router.
<Router> system-view
[Router] firewall enable
# Create advanced ACL 3001.
[Router] acl number 3001
# Configure rules to permit specific hosts to access external networks and permit internal servers to
access external networks.
[Router-acl-adv-3001] rule permit ip source 129.1.1.1 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.2 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.3 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.4 0
# Configure a rule to prohibit all IP packets from passing the firewall.
[Router-acl-adv-3001] rule deny ip
[Router-acl-adv-3001] quit
Figure 122:
129.1.1.3/24
WWW server
Internal network
GE1/0/1
129.1.1.5/24
S2/1/1
20.1.1.1/16
WAN
Router
351
v
External host
20.3.3.3/32