3Com 3032 Configuration Manual page 563

www server address 129.38.1.3. The enterprise address to the outside is
202.38.160.1.Address conversion has been configured on the router so that the
internal PC can access the Internet, and the external PC can access the internal
server. By configuring a firewall, the following are expected:
Only specific users from external network can access the internal server.
Only a specific internal host can access the external network.
In this example, assume that the IP address of a specific external user is
202.39.2.3.
Figure 172 Sample networking of firewall configuration
129.38.1.1
129.38.1.2
Ftp server
Telnet server
Enterprise Ethernet
129.38.1.4
Specific internal PC
Specific external PC
1 Enable firewall
[Router]firewall enable
2 Configure firewall default filtering mode as packet pass permitted
[Router]firewall default permit
3 Configure access rules to inhibit passing of all packets
[Router] acl 101
[Router-acl-101] rule deny ip source any destination any
4 Configure rules to permit specific host to access external network, to permit
internal server to access external network.
[Router-acl-101] rule permit ip source 129.38.1.4 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.1 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.2 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.3 0 destination any
5 Configure rules to permit specific external user to access internal server
[Router] acl 102
[Router-acl-102] rule permit tcp source 202.39.2.3 0 destination
202.38.160.1 0
129.38.1.3
www server
129.38.1.5
Quidway router
Router
202.38.160.1
WAN
Firewall Configuration Example 559