HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 267
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Applying Access Control to Router Interfaces
Using ACPs to Control Access to Router Interfaces
Block Telnet Traffic. To strengthen security on your WAN, you may want
to deny any Telnet session that users attempt to establish with the ProCurve
Secure Router. You must first create an extended ACL and give it a name, such
as Telnet. When you create the entry for Telnet traffic, you must use a permit
entry because you want the Secure Router OS to both select the traffic and to
take the action configured in the ACP. Enter:
ProCurve(config)# ip access-list extended Telnet
ProCurve(config-ext-nacl)# permit tcp any any eq telnet
ProCurve(config-ext-nacl)# exit
Next, you must create an ACP and give it a unique name, such as Manage:
ProCurve(config)# ip policy-class Manage
ProCurve(config-policy-class)# discard list Telnet self
ProCurve(config-policy-class)# exit
The self option designates the destination as the internal IP stack—the router
itself.
After you create the ACP, you must then use the access-policy command to
assign it to the appropriate interface on the router.
Permit HTTP, Mail, and POP3 Traffic. Some companies may want to
restrict incoming traffic on a WAN interface to HTTP, Simple Mail Transfer
Protocol (SMTP), POP3, and FTP traffic. To do so, you must configure an
extended ACL, as shown below:
ProCurve(config)# ip access-list extended Internet
ProCurve(config-ext-nacl)# permit tcp any any eq www
ProCurve(config-ext-nacl)# permit tcp any any eq smtp
ProCurve(config-ext-nacl)# permit tcp any any eq pop3
ProCurve(config-ext-nacl)# permit tcp any any eq ftp
ProCurve(config-ext-nacl)# permit tcp any any eq ftp-data
N o t e
If the Secure Router OS firewall and the FTP application-level gateway (ALG)
are enabled, you do not have to configure an entry to allow traffic on FTP data
port (21). The FTP ALG automatically allows the return traffic for an estab-
lished FTP session. For more information about ALGs, see Chapter 4:
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted
Network.
5-47
Advertisement
Chapters
Table of Contents
Troubleshooting
