Restricting Specified Hosts - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Virtual Private Networks
Configuring a VPN Using IPSec
N o t e
8-36
Extended ACLs allow you to select traffic according to its source and
destination IP address (among other fields in the IP header). To create an ACL
that selects traffic transmitted between two networks, enter the following
command:
Syntax: ip access-list extended <listname>
An ACL listname is alphanumeric and case-sensitive. For example:
ProCurve(config)# ip access-list extended VPNTraffic
Restricting Specified Hosts
You can enforce your organization's security policies by restricting certain
hosts from accessing the VPN tunnel. By default, the ACL excludes all hosts
not explicitly permitted. However, if certain hosts who should not be able to
access the VPN are on a permitted subnet, you will need to explicitly deny
them, as follows:
Syntax: deny ip [any | host <source A.B.C.D> | hostname <source hostname> |
<source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D> | hostname
<destination hostname> | <destination A.B.C.D> <wildcard bits>]
Use the host keyword to deny a single host. Use wildcard bits to specify a
range of address. The wildcard bits operate on reverse logic from subnet
masks; a bit corresponding to a 1 is ignored. In effect, the digital number
corresponding to the wildcard bits in an octet is the number of hosts that can
be selected.
In this example, you exclude hosts 99 and 192 through 223 in the 192.168.1.0
/24 network from the VPN:
ProCurve(config-ext-nacl)# deny ip host 192.168.1.99 any
ProCurve(config-ext-nacl)# deny ip 192.168.1.192 0.0.0.31 any
In order to exclude a specific host or hosts from a permitted subnet, you must
enter the deny entry before the permit entry. This is because the ProCurve
Secure Router processes ACL entries in order and stops processing the list as
soon as it finds a match.
You can also deny specific hosts as a valid destination for traffic carried over
the VPN tunnel. For example:
ProCurve(config-ext-nacl)# deny ip any host 192.168.3.99
Advertisement
Chapters
Table of Contents
Troubleshooting
