No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ASPF and Port Mapping

Example for Configuring ASPF and Port Mapping

Networking Requirements

As shown in Figure 5-23, Eth2/0/0 of the Router is connected to a highly secure internal network, and GE3/0/0 is connected to an insecure external network. The Router must filter the packets and perform ASPF check between the internal network and the external network. The following requirements must be met:
  • A host (10.39.2.3) on the external network is allowed to access the servers in the internal network.
  • Other hosts are not allowed to access servers on the internal network.
  • The Router checks the FTP status of the connections and filters out undesired packets.
  • The packets from the external host are sent to the FTP server through port 2121, which is used as the port of the FTP protocol.
Figure 5-23  Network diagram of ASPF and port mapping

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure zones and an interzone.

  2. Add interfaces to the zones.

  3. Configure ACLs.

  4. Configure ACL-based packet filtering in the interzone.

  5. Configure ASPF in the interzone.

  6. Map port 2121 to the FTP protocol.

Procedure

  1. Configure zones and an interzone on the Router .

    <Huawei> system-view
    [Huawei] firewall zone trust
    [Huawei-zone-trust] priority 14
    [Huawei-zone-trust] quit
    [Huawei] firewall zone untrust
    [Huawei-zone-untrust] priority 1
    [Huawei-zone-untrust] quit
    [Huawei] firewall interzone trust untrust
    [Huawei-interzone-trust-untrust] firewall enable
    [Huawei-interzone-trust-untrust] quit
    

  2. Add the interfaces of Router to zones.

    [Huawei] vlan 100 
    [Huawei-vlan100] quit
    [Huawei] interface vlanif 100 
    [Huawei-Vlanif100] ip address 10.38.1.1 24 
    [Huawei-Vlanif100] quit       
    [Huawei] interface ethernet 2/0/0
    [Huawei-Ethernet2/0/0] port link-type access  
    [Huawei-Ethernet2/0/0] port default vlan 100 
    [Huawei-Ethernet2/0/0] quit  
    [Huawei] interface vlanif 100 
    [Huawei-Vlanif100] zone trust
    [Huawei-Vlanif100] quit
    [Huawei] interface gigabitethernet 3/0/0
    [Huawei-GigabitEthernet3/0/0] undo portswitch
    [Huawei-GigabitEthernet3/0/0] ip address 10.39.2.1 24 
    [Huawei-GigabitEthernet3/0/0] zone untrust
    [Huawei-GigabitEthernet3/0/0] quit

  3. Configure ACLs on Router .

    [Huawei] acl 2102
    [Huawei-acl-basic-2102] rule permit source 10.38.1.2 0.0.0.0
    [Huawei-acl-basic-2102] quit    
    [Huawei] acl 3102
    [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.2 0.0.0.0
    [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.3 0.0.0.0
    [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.4 0.0.0.0
    [Huawei-acl-adv-3102] rule deny ip
    [Huawei-acl-adv-3102] quit
    

  4. Configure packet filtering on Router .

    [Huawei] firewall interzone trust untrust
    [Huawei-interzone-trust-untrust] packet-filter 3102 inbound
    

  5. Configure ASPF on the Router .

    [Huawei-interzone-trust-untrust] detect aspf ftp
    [Huawei-interzone-trust-untrust] quit
    

  6. Configure port mapping on the Router .

    [Huawei] port-mapping ftp port 2121 acl 2102

  7. Verify the configuration.

    Run the display firewall interzone zone-name1 zone-name2 command on the Router , and the command output is as follows:

    [Huawei] display firewall interzone trust untrust 
    interzone trust untrust                                                         
     firewall enable                                                                
     packet-filter default deny inbound                                             
     packet-filter default permit outbound                                          
     packet-filter 3102 inbound                                                     
     detect aspf ftp                                                                 
    

    Run the display port-mapping ftp command on the Router , and the command output is as follows:

    [Huawei] display port-mapping ftp
       -------------------------------------------------
      Service    Port       Acl        Type    
     -------------------------------------------------
      ftp          21                  system defined
      ftp        2121      2102        user   defined
     -------------------------------------------------
     Total number is : 2

Configuration Files

Configuration file of the Router

#                                                                               
vlan batch 100
#                                                                               
acl number 2102                                                                 
 rule 5 permit source 10.38.1.2 0                                                        
#                                                                               
acl number 3102                                                                 
 rule 5 permit tcp source 10.39.2.3 0 destination 10.38.1.2 0                 
 rule 10 permit tcp source 10.39.2.3 0 destination 10.38.1.3 0                
 rule 15 permit tcp source 10.39.2.3 0 destination 10.38.1.4 0                
 rule 20 deny ip                                                                
#                                                                           
port-mapping ftp port 2121 acl 2102                                             
#                                                                       
interface Vlanif100                                                             
 ip address 10.38.1.1 255.255.255.0
 zone trust                                            
# 
firewall zone trust                                                             
 priority 14                                                                    
#                                                                               
firewall zone untrust                                                           
 priority 1                                                                     
#                                                                               
firewall interzone trust untrust                                                
 firewall enable                                                                
 packet-filter 3102 inbound 
 detect aspf ftp                                                     
#                                                                               
interface Ethernet2/0/0
 port link-type access                                                          
 port default vlan 100                                                          
#             
interface GigabitEthernet3/0/0
 undo portswitch
 ip address 10.39.2.1 255.255.255.0   
 zone untrust  
# 
return 
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95438

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next