AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010 CLI-based Configuration Guide - Security
Example for Using an Advanced ACL to Configure the Firewall Function
Networking Requirements
As shown in Figure 4-19, an enterprise network running the Web, FTP, and Telnet services accesses an external network through GE1/0/0 and joins a VLAN through Eth2/0/0.
The enterprise network segment is 10.10.10.0/24 and the IP addresses of the Web server, FTP server, and Telnet server are 10.10.10.5/24, 10.10.10.6/24, and 10.10.10.7/24.
To ensure security, the Router provides the firewall function. Only specified users are allowed to access internal servers of the enterprise and only internal servers of the enterprise are allowed to access the external network.
Configuration Roadmap
The following configurations are performed on the Router. The configuration roadmap is as follows:
- Configure zones on the internal and external networks.
- Configure an interzone and enable the firewall function in the interzone.
- Configure advanced ACLs to restrict the rights to access the internal servers and external network.
- Configure ACL-based packet filtering in the interzone.
Procedure
- Configure zones.
# Configure a zone on the internal network.
<Huawei> system-view [Huawei] sysname Router [Router] firewall zone company [Router-zone-company] priority 12 [Router-zone-company] quit
# Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces. Add VLANIF 100 to the zone company.
[Router] vlan batch 100 [Router] interface ethernet 2/0/0 [Router-Ethernet2/0/0] port link-type access [Router-Ethernet2/0/0] port default vlan 100 [Router-Ethernet2/0/0] quit [Router] interface vlanif 100 [Router-Vlanif100] ip address 10.10.10.1 255.255.255.0 [Router-Vlanif100] zone company [Router-Vlanif100] quit
# Configure a zone on the external network.
[Router] firewall zone external [Router-zone-external] priority 5 [Router-zone-external] quit
# Add GigabitEthernet 1/0/0 to the zone external.
[Router] interface gigabitethernet 1/0/0 [Router-gigabitethernet1/0/0] undo portswitch [Router-gigabitethernet1/0/0] ip address 10.39.10.8 255.255.255.0 [Router-gigabitethernet1/0/0] zone external [Router-gigabitethernet1/0/0] quit
- Configure an interzone.
[Router] firewall interzone company external [Router-interzone-company-external] firewall enable [Router-interzone-company-external] quit
- Configure ACL 3001.
# Create ACL 3001.
[Router] acl 3001# Configure a rule in ACL 3001 to allow specified users to access internal servers.
[Router-acl-adv-3001] rule permit tcp source 1.2.3.4 0.0.0.0 destination 10.10.10.5 0.0.0.0 [Router-acl-adv-3001] rule permit tcp source 1.2.3.4 0.0.0.0 destination 10.10.10.6 0.0.0.0 [Router-acl-adv-3001] rule permit tcp source 1.2.3.4 0.0.0.0 destination 10.10.10.7 0.0.0.0
# Configure a rule in ACL 3001 to prevent other users from accessing any host of the enterprise.
[Router-acl-adv-3001] rule deny ip [Router-acl-adv-3001] quit
- Configure ACL 3002.
# Create ACL 3002.
[Router] acl 3002# Configure a rule in ACL 3002 to allow internal servers to access the external network.
[Router-acl-adv-3002] rule permit ip source 10.10.10.5 0.0.0.0 [Router-acl-adv-3002] rule permit ip source 10.10.10.6 0.0.0.0 [Router-acl-adv-3002] rule permit ip source 10.10.10.7 0.0.0.0
# Configure a rule in ACL 3002 to prevent other users of the enterprise from accessing the external network.
[Router-acl-adv-3002] rule deny ip [Router-acl-adv-3002] quit
- Configure ACL-based packet filtering in the interzone.
[Router] firewall interzone company external [Router-interzone-company-external] packet-filter 3001 inbound [Router-interzone-company-external] packet-filter 3002 outbound [Router-interzone-company-external] quit
- Verify the configuration.
# After the configuration is complete, only the host at 1.2.3.4 can access internal servers and only internal servers can access the external network.
# Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router. The result is as follows:
[Router] display firewall interzone company external interzone company external firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3001 inbound packet-filter 3002 outbound
Configuration Files
Configuration file of the Router
# sysname Router # vlan batch 100 # acl number 3001 rule 5 permit tcp source 1.2.3.4 0 destination 10.10.10.5 0 rule 10 permit tcp source 1.2.3.4 0 destination 10.10.10.6 0 rule 15 permit tcp source 1.2.3.4 0 destination 10.10.10.7 0 rule 20 deny ip acl number 3002 rule 5 permit ip source 10.10.10.5 0 rule 10 permit ip source 10.10.10.6 0 rule 15 permit ip source 10.10.10.7 0 rule 20 deny ip # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 zone company # firewall zone company priority 12 # firewall zone external priority 5 # firewall interzone company external firewall enable packet-filter 3001 inbound packet-filter 3002 outbound # interface Ethernet2/0/0 port link-type access port default vlan 100 # interface GigabitEthernet1/0/0 undo portswitch ip address 10.39.10.8 255.255.255.0 zone external # return