4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

251

252

253

254

255

256

257

258

259

260

249

Generic TCP/UDP inspection requires a full match between the packets returned to the external interface

and the packets previously sent out of the external interface, namely a perfect match of the source and

destination addresses and port numbers. Otherwise, the return packets are blocked. Therefore, for

multi-channel application layer protocols like FTP, the deployment of TCP inspection without application

layer inspection leads to failure of establishing a data connection.

ASPF configuration task list

Tasks at a

lance

(Required.) Configuring an ASPF policy

(Required.) Applying an ASPF policy to an interface

Configuring an ASPF policy

Follow these guidelines when you configure an ASPF policy:

• For a multi-channel protocol, if you enable TCP or UDP inspection without configuring application

layer protocol inspection, the device might not be able to receive response packets. HP

recommends that you enable application layer protocol inspection together with TCP/UDP

inspection.

• For a single-channel protocol, such as Telnet, you only need to configure the transport layer protocol

(TCP or UDP) inspection.

To configure an ASPF policy:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an ASPF policy and

enter its view.

aspf-policy aspf-policy-number

By default, no ASPF policy exists

on the device.

3. (Optional.) Configure ASPF

inspection for application

layer or transport layer

protocols.

detect { dccp | ftp | gtp | h323 |

icmp | icmpv6 | rawip | rtsp |

sctp | sip | tcp | tftp | udp |

udp-lite }

By default, ASPF inspection is not

configured for application layer

and transport layer protocols.

4. (Optional.) Enable ICMP error

message check and drop

those failed the check.

icmp-error drop

By default, the ICMP error message

check is disabled.

5. (Optional.) Drop non-SYN

packet that is the first packet

over a TCP connection.

tcp syn-check

By default, a non-SYN packet that

is the first packet over a TCP

connection is not dropped.

Applying an ASPF policy to an interface

You can apply an ASPF policy to the inbound direction of an interface to monitor incoming traffic on that

interface, and apply an ASPF policy to the outbound to monitor outgoing traffic. ASPF matches all

incoming or outgoing packets against session entries. If a packet does not match any existing session

entry, ASPF creates a new session entry.