R2511-HP MSR Router Series Security Configuration Guide(V5)
349
Figure 112 Network diagram
Configuration procedure
# Enable the firewall function on the router.
<Router> system-view
[Router] firewall enable
# Create advanced ACL 3001.
[Router] acl number 3001
# Configure rules to permit specific hosts to access external networks and permit internal servers to
access external networks.
[Router-acl-adv-3001] rule permit ip source 129.1.1.1 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.2 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.3 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.4 0
# Configure a rule to prohibit all IP packets from passing the firewall.
[Router-acl-adv-3001] rule deny ip
[Router-acl-adv-3001] quit
# Create advanced ACL 3002.
[Router] acl number 3002
# Configure a rule to allow a specific external user to access internal servers.
[Router-acl-adv-3002] rule permit tcp source 20.3.3.3 0 destination 129.1.1.0 0.0.0.255
# Configure a rule to permit specific data (only packets of which the port number is greater than 1024)
to get access to the internal network.
[Router-acl-adv-3002] rule permit tcp destination 20.1.1.1 0 destination-port gt 1024
[Router-acl-adv-3002] rule deny ip
[Router-acl-adv-3002] quit
# Apply ACL 3001 to packets that come in through Ethernet 1/1.
[Router] interface ethernet 1/1
[Router-Ethernet1/1] firewall packet-filter 3001 inbound
# Apply ACL 3002 to packets that come in through Serial 2/0.
[Router-Ethernet1/1] quit
[Router] interface serial 2/0
[Router-Serial2/0] firewall packet-filter 3002 inbound