Manualshelf

HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
37
Deploy the servers in security zone DMZ, and add the interface connected to the servers
(GigabitEthernet 0/1) to security zone DMZ.
Create interzone instances and enable ASPF for the instances.
Configuration procedure
# Add interface GigabitEthernet 0/0 to security zone Trust.
<Firewall> system-view
[Firewall] zone name Trust
[Firewall-zone-Trust] import interface gigabitethernet 0/0
[Firewall-zone-Trust] quit
# Add interface GigabitEthernet 0/1 to security zone DMZ.
[Firewall] zone name DMZ
[Firewall-zone-DMZ] import interface gigabitethernet 0/1
[Firewall-zone-DMZ] quit
# Add interface GigabitEthernet 0/2 to security zone Untrust.
[Firewall] zone name Untrust
[Firewall-zone-Untrust] import interface gigabitethernet 0/2
[Firewall-zone-Untrust] quit
# Create an interzone instance with source security zone Trust and destination security zone Untrust, and
enable ASPF for the instance.
[Firewall] interzone source Trust destination Untrust
[Firewall-interzone-Trust-Untrust] firewall aspf enable
[Firewall-interzone-Trust-Untrust] quit
# Create an interzone instance with source security zone Trust and destination security zone DMZ, and
enable ASPF for the instance.
[Firewall] interzone source Trust destination DMZ
[Firewall-interzone-Trust-DMZ] firewall aspf enable
[Firewall-interzone-Trust-DMZ] quit
Verifying the configuration
After the configuration, internal hosts should be able to access Internet resources and the resources in
security zone DMZ, and access requests initiated from the Internet should be denied.