R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

361

362

363

364

365

366

367

368

369

370

350

Applying an ASPF policy to an interface

Two concepts are distinguished in ASPF policy: internal interface and external interface.

If the device is connected to both the internal network and the Internet, and employs ASPF to protect the

internal servers, the interface connected to the internal network is the internal interface and the one

connected to the Internet is the external interface.

IF both ASPF and packet-filter firewall are applied to the external interface, access to the internal network

from the Internet is denied. The response packet can pass ASPF when internal network users access the

Internet.

To monitor the traffic through an interface, you must apply the configured ASPF policy to that interface.

Make sure a connection initiation packet and the corresponding return packet are based on the same

interface, because it is based on interfaces that an ASPF stores and maintains the application layer

protocol status.

To apply an ASPF policy on an Interface:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter interface view.

interface interface-type

interface-number

N/A

3. Apply an ASPF policy to the

interface.

firewall aspf aspf-policy-number

{ inbound | outbound }

Not applied by default.

Configuring port mapping

Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping.

• General port mapping—Refers to a mapping of a user-defined port number to an application layer

protocol. If port 8080 is mapped to HTTP, for example, all TCP packets the destination port of which

is port 8080 are regarded as HTTP packets.

• Host port mapping—Refers to a mapping of a user-defined port number to an application layer

protocol for packets to some specific hosts. For example, you can establish a host port mapping so

that all TCP packets using port 8080 sent to the network segment 10.110.0.0 are regarded as HTTP

packets. The address range of hosts can be specified by means of a basic ACL.

To configure port mapping:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Configure mapping between

the port and the application

protocol.

port-mapping application-name

port port-number [ acl acl-number ]

Not configured by default.

At present, the application layer

protocols supported by this

function include FTP, H323, HTTP,

HTTPS, IKE, RTSP, SMTP, SSH, and

VAM.