ProCurve VPN Client and ProCurve Secure Router 7000dl Series - Application Note
8. Allow Traffic Through Firewall
a) If the firewall feature is enabled on the ProCurve 7000dl router, then Extended ACLs
will need to be added to the configuration. IP access-list extended vpn_lan will use the
following permit statement:
Figure 11 Permiting remote LAN traffic into local ProCurve 7000dl series
b) The Extended ACL must be added to the appropriate policy-class before they take
affect. NOTE: Policy-class names are case sensitive. The policy-class names
below may need to be changed based on the current policy-class nomencalature.
If a discard list MATCHALL statement is in the policy class be sure to remove it
by using the no form of the command. Re-enter the discard list MATCHALL
statement after entering new statements. The UNTRUSTED policy class is used for
traffic coming from the internet. This policy-class is attached to interface ppp 1. Figure
12 gives an example of the commands.
Figure 12 Allow traffic specified by ACL into UNTRUSTED interface
S
ecureSiteRouter
(config)#
ip firewall
SecureSiteRouter(config)# ip access-list extended VPN_to_LAN
SecureSiteRouter(config-ext-nacl)# permit ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255
SecureSiteRouter
(
config)#
ip policy
-
class UNTRUSTED
SecureSiteRouter(config-ext-nacl)# no discard list MATCHALL (optional, see above text)
SecureSiteRouter(config-ext-nacl)# allow list VPN_to_LAN
SecureSiteRouter(config-ext-nacl)# discard list MATCHALL