By using the firewall feature, the company intends to achieve the following aim: only specific users
•
on external networks are given access to the internal servers, and only specific hosts on the internal
network are permitted to access external networks.
•
Assume that the IP address of a specific external user is 20.3.3.3.
Figure 226 Network diagram
129.1.1.1/24
FTP server Telnet server
Internal host
129.1.1.4/24
Configuration procedure
# Enable the firewall function on the router.
<Router> system-view
[Router] firewall enable slot 2
[Router] firewall enable slot 3
# Create advanced ACL 3001.
[Router] acl number 3001
# Configure rules to permit specific hosts to access external networks and permit internal servers to
access external networks.
[Router-acl-adv-3001] rule permit ip source 129.1.1.1 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.2 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.3 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.4 0
# Configure a rule to prohibit all IP packets from passing the firewall.
[Router-acl-adv-3001] rule deny ip
[Router-acl-adv-3001] quit
# Create advanced ACL 3002.
[Router] acl number 3002
# Configure a rule to allow a specific external user to access internal servers.
[Router-acl-adv-3002] rule permit tcp source 20.3.3.3 0 destination 129.1.1.0 0.0.0.255
# Configure a rule to permit specific data (only packets of which the port number is greater than 1024)
to get access to the internal network.
[Router-acl-adv-3002] rule permit tcp destination 20.1.1.1 0 destination-port gt 1024
[Router-acl-adv-3002] rule deny ip
[Router-acl-adv-3002] quit
# Apply ACL 3001 to packets that come in through GigabitEthernet 3/0/1.
[Router] interface gigabitethernet 3/0/1
129.1.1.2/24
129.1.1.3/24
WWW server
Internal network
GE3/0/1
129.1.1.5/24
S2/1/1
20.1.1.1/16
WAN
Router
443
v
External host
20.3.3.3/32