HP A6600 Configuration Manual page 367

Figure 123 Network diagram for ASPF configuration
Internal network
Host
192.168.1.2/24
Configuration procedure
# Enable the firewall function on Router A.
<RouterA> system-view
[RouterA] firewall enable
# Configure ACL 3111 to prohibit all IP packets from entering into the internal network. The ASPF
creates a TACL for packets permitted to pass the firewall.
[RouterA] acl number 3111
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
# Create ACL 2001 to block Java applets from site 2.2.2.11.
[RouterA] acl number 2001
[RouterA-acl-basic-2001] rule deny source 2.2.2.11 0
[RouterA-acl-basic-2001] rule permit
[RouterA-acl-basic-2001] quit
# Create an ASPF policy that checks application layer protocols FTP and HTTP, and set the idle timeout
value for the two protocols to 3000 seconds.
[RouterA] aspf-policy 1
[RouterA-aspf-policy-1] detect ftp aging-time 3000
[RouterA-aspf-policy-1] detect http java-blocking 2001 aging-time 3000
[RouterA-aspf-policy-1] quit
# Apply ACL 3111 and the ASPF policy to the interface Serial 2/1/1.
[RouterA] interface serial 2/1/1
[RouterA-Serial2/1/1] firewall aspf 1 outbound
[RouterA-Serial2/1/1] firewall packet-filter 3111 inbound
Router A Router B
S2/1/1
10.1.1.1/24
GEth1/0/1
192.168.1.1/24
External network
Server
355