F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices System Management and Maintenance Configuration Guide-6PW100
21
Ste
p
Command
Remarks
4. Add an interface to the
security zone.
import interface interface-type
interface-number [ vlan vlan-id ]
Required.
By default, a security zone
contains no interface.
5. Enter interface view.
interface interface-type interface-number N/A
6. Enable IP virtual fragment
reassembly.
ip virtual-reassembly [ drop-fragments |
max-fragments number | max-reassemblies
number | timeout seconds ] *
By default, the feature is
disabled.
155BConfiguration example
354BNetwork requirements
As shown in 727HFigure 11, configure devices as follows:
• Firewall connects to Host and Router.
• NAT is enabled on GigabitEthernet 0/2 of Firewall.
• Configure IP virtual fragment reassembly on GigabitEthernet 0/2 of Firewall.
Figure 11 Network diagram
355BConfiguration procedure
1. Configure the host:
# Configure a route so that the Host, Firewall, and Router can communicate with each other.
(Details not shown.)
2. Configure Firewall
# Configure NAT and IP virtual fragment reassembly.
<Firewall> system-view
[Firewall] nat static 10.1.1.1 11.2.2.3
[Firewall] interface gigabitethernet 0/2
[Firewall-GigabitEthernet0/2] nat outbound static
[Firewall-GigabitEthernet0/2] ip virtual-reassembly
[Firewall-GigabitEthernet0/2] quit
# Enable IP virtual fragment reassembly.
[Firewall] zone name trust
[Firewall-zone-trust] import interface gigabitethernet 0/1
[Firewall-zone-trust] ip virtual-reassembly
With the IP virtual fragment reassembly feature, Firewall checks, sequences, and caches fragments that
do not arrive in order at GigabitEthernet0/2. You can use the display ip virtual-reassembly command to
view related information.
Host
10.1.1.1/8
Firewall
GE0/1
10.1.1.2/8
Router
Eth1/1
11.2.2.1/8
GE0/2
11.2.2.2/8