Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
381382383384385386387388389390
368
Figure 109 Network diagram
Configuration procedure
# Configure ACL 3111 to deny all IP packets.
<RouterA> system-view
[RouterA] acl number 3111
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
# Create ASPF policy 1 for FTP inspection.
[RouterA] aspf-policy 1
[RouterA-aspf-policy-1] detect ftp
[RouterA-aspf-policy-1] quit
# Apply ACL 3111 to deny all incoming IP packets on interface GigabitEthernet 2/1/1.
[RouterA] interface gigabitethernet 2/1/1
[RouterA-GigabitEthernet2/1/1] packet-filter 3111 inbound
# Apply ASPF policy 1 to the outbound direction of interface GigabitEthernet 2/1/1.
[RouterA-GigabitEthernet2/1/1] aspf apply policy 1 outbound
Verifying the configuration
# Display ASPF sessions on Router A.
<RouterA> display aspf session ipv4
Initiator:
Source IP/port: 192.168.1.2/1877
Destination IP/port: 2.2.2.11/21
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Total sessions found: 1
The output shows that an ASPF session has been established for the FTP connection between the host and
the FTP server.
# Verify that only the return packets of FTP connections can enter the internal network. (Details not
shown.)