HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

101

102

103

104

105

106

107

108

109

110

100

2. Create IPv4 advanced ACL 3000, and configure three rules in the ACL. One rule permits access

from the president office to the financial database server, one rule permits access from the

financial department to the database server during working hours, and one rule denies access

from any other department to the database server at any time.

[Firewall] acl number 3000

[Firewall-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination

192.168.0.100 0

[Firewall-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination

192.168.0.100 0 time-range work

[Firewall-acl-adv-3000] rule deny ip source any destination 192.168.0.100 0

[Firewall-acl-adv-3000] quit

3. Configure security zones:

# Create a security zone named department, and add interface GigabitEthernet 0/2,

GigabitEthernet 0/3, and GigabitEthernet 0/4 to the security zone.

[Firewall] zone name department id 10

[Firewall-zone-department] import interface gigabitethernet 0/2

[Firewall-zone-department] import interface gigabitethernet 0/3

[Firewall-zone-department] import interface gigabitethernet 0/4

[Firewall-zone-department] quit

# Create a security zone named database, and add interface GigabitEthernet 0/1 to the security

zone.

[Firewall] zone name database id 10

[Firewall-zone-database] import interface gigabitethernet 0/1

[Firewall-zone-database] quit

4. Create an interzone instance from source zone department to destination zone database, create

the interzone policy by referencing IPv4 advanced ACL 3000, and enable the interzone policy.

[Firewall] interzone source department destination database

[Firewall-interzone-department-database] rule acl 3000

[Firewall-interzone-department-database] rule acl enable

[Firewall-interzone-department-database] quit

Verifying the configuration

# Ping the financial database server from a PC in the financial department during working hours. (All PCs

in this example run Windows XP.)

C:\> ping 192.168.0.100

Pinging 192.168.0.100 with 32 bytes of data:

Reply from 192.168.0.100: bytes=32 time=1ms TTL=255

Reply from 192.168.0.100: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.0.100:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

The output shows that the financial database server can be pinged.