Thursday, October 11, 2012

@hp #msr #firewall config example


[MSR_3020]dis cur
#
 version 5.20, Release 2105P02, Standard
#
 sysname MSR_3020
#
 clock timezone cst minus 06:00:00
#
 l2tp enable
#
 ike local-name h3c
#
 firewall enable
 firewall default deny
#
 domain default enable system
#
 dns resolve
 dns server 150.199.1.10
#
 telnet server enable
#
 blacklist enable
#
acl number 2000
 description NAT ACL
 rule 0 permit source 192.168.1.0 0.0.0.255
acl number 2001
 description HTTP ACL
 rule 0 permit source 192.168.1.0 0.0.0.255
 rule 1 permit source 151.104.104.0 0.0.0.255
 rule 2 permit source 139.87.8.0 0.0.0.255
 rule 5 deny
#
acl number 3000
 description TELNET_ACCESS_CONTROL
 rule 0 permit ip source 192.168.1.0 0.0.0.255
 rule 5 permit ip source 151.104.104.0 0.0.0.255
 rule 10 deny ip
 rule 10 comment DENY ALL OTHER INPUT OTHER THAN LOCAL LAN AND 3COM
acl number 3200 name Wan_Inbound
 description WAN_INBOUND_FILTER
 rule 0 permit icmp
 rule 5 permit udp destination-port eq 1701
 rule 10 permit udp destination-port eq 4500
 rule 15 permit tcp destination-port eq 1723
 rule 25 permit udp destination-port eq 500
 rule 35 permit udp source-port eq 1023
 rule 40 permit gre
 rule 45 permit 50
 rule 50 permit 51
 rule 55 permit udp source-port eq 67
 rule 60 permit udp source-port eq 68
 rule 65 deny udp
 rule 70 deny tcp
#
vlan 1
#
domain system
 authentication ppp local
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
 ip pool 1 10.10.10.5 10.10.10.10
#
ike peer remote
 exchange-mode aggressive
 pre-shared-key simple sprigmaster
 id-type name
 remote-name remote
#
ipsec proposal remote
#
ipsec policy remote 1 isakmp
 ike-peer remote
 proposal remote
#
dhcp server ip-pool cable
 network 192.168.1.0 mask 255.255.255.0
 gateway-list 192.168.1.254
 dns-list 150.199.1.10
#
aspf-policy 1
 detect RTSP
 detect SMTP
 detect FTP
 detect TCP
 detect UDP
#
user-group system
#
local-user 3Com
 password simple 3com3com123
 authorization-attribute level 1
 service-type ppp
local-user test
 password simple test
 authorization-attribute level 1
 service-type ppp

#
attack-defense policy 86 interface GigabitEthernet0/1
 signature-detect action drop-packet
 signature-detect fraggle enable
 signature-detect land enable
 signature-detect winnuke enable
 signature-detect tcp-flag enable
 signature-detect icmp-unreachable enable
 signature-detect icmp-redirect enable
 signature-detect tracert enable
 signature-detect smurf enable
 signature-detect source-route enable
 signature-detect route-record enable
 signature-detect large-icmp enable
 defense scan enable
  defense scan add-to-blacklist
 defense syn-flood enable
  defense syn-flood action drop-packet
 defense udp-flood enable
  defense udp-flood action drop-packet
 defense icmp-flood enable
  defense icmp-flood action drop-packet
#
l2tp-group 1
 mandatory-chap
 undo tunnel authentication
 allow l2tp virtual-template 0
 tunnel name remote
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Cellular0/0
 async mode protocol
 link-protocol ppp
#
interface Serial3/0
 link-protocol ppp
#
interface Virtual-Template0
 ppp authentication-mode chap domain system
 remote address pool 1
 ip address 10.10.10.254 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
 port link-mode route
 description LAN-INTERFACE
 ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/1
 port link-mode route
 description WAN-INTERFACE
 firewall packet-filter name Wan_Inbound inbound
 firewall aspf 1 outbound
 nat outbound 2000
 ip address dhcp-alloc
 ipsec policy remote
 attack-defense apply policy 86
#
nqa entry imclinktopologypleaseignore ping
 type icmp-echo
  destination ip 192.168.1.253
  frequency 270000
#
 snmp-agent
 snmp-agent local-engineid 8000002B03001EC16FF729
 snmp-agent community read hphp
 snmp-agent community write hphp123
 snmp-agent sys-info contact Network Admin
 snmp-agent sys-info location 3Com Lab
 snmp-agent sys-info version all
 snmp-agent target-host trap address udp-domain 192.168.1.115 params securityname public
 undo snmp-agent trap enable voice dial
#
 dhcp enable
#
 nqa schedule imclinktopologypleaseignore ping start-time now lifetime 630720000
 nqa server enable
#
 ntp-service unicast-server 132.163.4.101
#              
 load xml-configuration
#
 load tr069-configuration
#
user-interface con 0
user-interface tty 13
user-interface aux 0
user-interface vty 0 4
 acl 3000 inbound
 authentication-mode scheme
#
return
[MSR_3020]
Posted by at

3 comments:

  1. francoMarch 6, 2015 at 10:46 AM

    Hi Jeff,
    how can I configure it for IPsec Passthrough? (MSR935 as PAT router)
    Thank you very much.

    ReplyDelete
  2. francoMarch 6, 2015 at 10:46 AM

    This comment has been removed by the author.

    ReplyDelete
  3. Indhra KannanAugust 11, 2017 at 6:29 AM

    Thanks for the informative blog...

    123.hp.com/dj1013

    ReplyDelete

Subscribe to: Post Comments (Atom)