Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsIP PhoneOmniAccess 3500
21222324252627282930
Chapter 2. Initialization Tasks
The embedded firewall can be used to restrict the network traffic that the gateway
exchanges over its interfaces, assuming the function of an enterprise firewall in a
network where an enterprise firewall may not be already deployed. The firewall rules
may or may not be associated with existing IPsec tunnels.
The embedded IPsec endpoint handles the requests to open IKEv2 and IPsec security
associations that the OmniAccess 3500 NLG cards originate from their current
locations. The gateway uses the IPsec endpoint rules to match incoming IKEv2 requests
with sets of IKEv2/IPsec parameters (Tunnel Table entries) to be used in the
configuration of the resulting security associations.
To add a packet classification rule:
1. Click Gateway on the main menu and then click Configure Advanced Settings.
2. On the Configure menu, click Rules.
3. Click New. A Connection Manager Rules (Add) window appears (Figure 15),
displaying the following fields:
o Precedence: Rule precedence with respect to other rules defined in the same
context. The priority of the rule is higher with a higher precedence value.
o Type: Rule type, to be chosen out of <Pass> (accept all packets matching the
rule), <Drop> (drop all packets matching the rule), and <Reject> (drop all
packets matching the rule and for each dropped packet notify the sender).
o Protocol: Protocol Identifier value carried by the packets that match the rule.
Options (choose one): <IP>, <TCP>, <UDP>, <ICMP>.
o Source IP/[Mask]: Range of IP addresses to be checked against the source IP
address field in the packet header.
o Source Port Low, Source Port High: Range of port values to be checked against
the source port field in the packet header.
o Destination IP/[Mask]: Range of IP addresses to be checked against the
destination IP address field in the packet header.
o Destination Port Low, Destination Port High: Range of port values to be
checked against the destination port field in the packet header.
o Interface Name: Network interface on the OmniAccess 3500 NLG gateway
where the packet filter rule applies. Options (choose one): <WAN> (for the
WAN/public interface of the gateway), <LAN> (for the LAN/private interface of
the gateway)).
o Local Stack Direction: Packet direction with respect to the local IP stack of the
OmniAccess 3500 NLG gateway. Options (choose one): <ANY> (the rule applies
to traffic in any direction), <From> (the rule only applies to traffic from the
local IP stack, i.e., outgoing traffic), <To> (the rule only applies to traffic to
the local IP stack, i.e., incoming traffic).
o Tunnel Direction: This object enables the association of the packet
classification rule with a tunnel profile. Options (choose one): <None> (no
tunnel is to be associated with the rule, which is therefore strictly a packet
filtering rule), <To Tunnel> (packets matching the rule are dispatched through
an IPsec tunnel whose profile is identified by the <To Tunnel> value; if an
19