ASPF TCP application inspection configuration example
Network requirements
Local users on the internal network need to access the external network. To protect the internal network
against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A.
Router A can then drop faked ICMP error messages and non-SYN packets that are the first packets over
TCP connections.
Figure 85 Network diagram
Configuration procedure
# Configure ACL 31 1 1 to deny all IP packets.
<RouterA> system-view
[RouterA] acl number 3111
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
# Create ASPF policy 1.
[RouterA] aspf-policy 1
# Enable ICMP error message check.
[RouterA-aspf-policy-1] icmp-error drop
# Enable TCP SYN check.
[RouterA-aspf-policy-1] tcp syn-check
[RouterA-aspf-policy-1] quit
# Apply ACL 31 1 1 to deny all incoming IP packets on interface GigabitEthernet 1/0.
[RouterA] interface GigabitEthernet 1/0
[RouterA-GigabitEthernet1/0] packet-filter 3111 inbound
# Apply ASPF policy 1 to the outbound direction of interface GigabitEthernet 1/0.
[RouterA-GigabitEthernet1/0] aspf apply policy 1 outbound
Verifying the configuration
# Display the configuration of ASPF policy 1.
<RouterA> display aspf policy 1
293