3Com Router 3000 Ethernet Family
Configuration Guide
II. Network diagram
Internal network
202.101.1.2
Figure 6-4 Network diagram of ASPF configuration example
III. Configuration procedure
# Enable firewall.
[3Com] firewall enable
# Configure ACL 3111 to refuse all TCP and UDP traffic to enter internal network. ASPF
will create a temporary ACL for traffic that is permitted to pass.
[3Com] acl number 3111
[3Com-acl-adv-3111] rule deny ip
# Create ASPF policy, with a policy number of 1. The policy detects two protocols on
application layer, FTP and FTTP, and defines the timeout time of the two protocols in
case of no actions as 3000 seconds.
[3Com] aspf-policy 1
[3Com-aspf-policy-1] detect ftp aging-time 3000
[3Com-aspf-policy-1] detect http aging-time 3000
[3Com-aspf-policy-1] detect http java-blocking 2001
# Configure ACL 2001 to filter Java Applets from the site 2.2.2.11.
[3Com] acl number 2001
[3Com-acl-basic-2001] rule deny source 2.2.2.11 0
[3Com-acl-basic-2001] rule permit
# Apply the ASPF policy on the interface.
[3Com-Serial1/0/0] firewall aspf 1 outbound
# Apply ACL 3111 on the interface.
[3Com-Serial1/0/0] firewall packet-filter 3111 inbound
ASPF
Serial1/0/0
Router
10.1.1.1
Ethernet1/0/0
202.101.1.1
Ethernet
3Com Corporation
6-16
Chapter 6 Firewall Configuration
Router
PPP
Ethernet
Server Host 2.2.2.11
External network