packet-filter default permit outbound
packet-filter 3102 inbound
----End
Configuration Files
#
vlan 100
#
acl number 3102
rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0
rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0
rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0
rule 20 deny ip
#
interface Vlanif100
ip address 129.38.1.1 255.255.255.0
zone trust
#
firewall zone trust
priority 15
#
firewall zone untrust
priority 1
#
firewall interzone trust untrust
firewall enable
packet-filter 3102 inbound
#
interface Ethernet0/0/0
port link-type access
port default vlan 100
#
interface
GigabitEthernet0/0/1
ip address 202.39.2.1 255.255.255.0
zone untrust
#
return
3.14.2 Example for Configuring ASPF and Port Mapping
This example shows the configuration of the mapping between ASPF and port on a network.
The Router can detect the packets of the specified application-layer protocols and discard the
undesired packets.
Networking Requirements
As shown in Figure 3-3, Ethernet0/0/0 of the Router is connected to a highly secure internal
network, and GE0/0/1 is connected to the insecure external network. The Router must filter the
packets and perform ASPF check between the internal network and the external network. The
following requirements must be met:
l A host (202.39.2.3) on the external network is allowed to access the servers in the internal
network.
l Other hosts are not allowed to access the servers on the internal network.
l The Router checks the FTP status of the connections and filters the undesired packets.
l The packets from the external host are sent to the FTP servers through port 2121, which is
used as the port of the FTP protocol.
Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security 3 Firewall Configuration
Issue 02 (2012-03-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
83
To Next Page
Loading...
Need help?
General
