R3303-HP HSR6800 Routers Security Configuration Guide
351
Displaying ASPF
Task Command
Remarks
Display all ASPF policy and
session information.
display aspf all [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display the ASPF policy
configuration applied the
interface.
display aspf interface [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display the configuration
information of a specific ASPF
policy.
display aspf policy aspf-policy-number [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
Display the port mapping
information.
display port-mapping [ application-name |
port port-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
ASPF configuration example
Network requirements
Configure an ASPF policy on Router A to inspect ICMP error messages and drop the non-SYN TCP first
packet.
This example is applicable to a scenario where local users need to gain access to remote servers.
Figure 116 Network diagram
Configuration procedure
# Enable the firewall function on Router A.
<RouterA> system-view slot 2
[RouterA] firewall enable slot 3
# Configure ACL 3111 to prohibit all IP packets from entering into the internal network. The ASPF will
create a TACL for packets permitted to pass the firewall.
[RouterA] acl number 3111
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
Router A Router B
Internal network External network
S2/1/1
10.1.1.1/24
GE3/0/2
192.168.1.1/24
Host
192.168.1.2/24
Server
2.2.2.11/24