HPE Community
Comware Based
1752780 Members
6029 Online
108789 Solutions
New Discussion

Re: Security zone configuration

 
Sabian
Occasional Advisor

‎06-11-2021 10:48 AM

‎06-11-2021 10:48 AM

Security zone configuration

Hi,

I have a HPE MSR 954 JH296A and I did a firmware upgrade to CMW710-R0707P12. The issue is that I want to learn configuring  the security zone and to add an interface in the security zone DMZ. Because the Configuration Guide is older the name of the interfaces are different. I have only VLAN1 and the interfaces are untagged.

I follow the guide and after import interface GE0/1 I received the message: please specify a VLAN list for the layer 2 interface. What I have to do? Add a VLAN to GE0/1?

Thank you!

 

0 Kudos
7 REPLIES 7
akg7
HPE Pro

‎06-14-2021 12:44 AM

‎06-14-2021 12:44 AM

Re: Security zone configuration

Hello,

Can you please share the software version and config which you are configuring?

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
Sabian
Occasional Advisor

‎06-14-2021 01:12 AM

‎06-14-2021 01:12 AM

Re: Security zone configuration

Hi,

MSR954 – JH296A , S/N: CN7BHB106P Firmware 7.10.R0809P27

0 Kudos
Sabian
Occasional Advisor

‎06-14-2021 01:26 AM

‎06-14-2021 01:26 AM

Re: Security zone configuration

  1. #
  2. version 7.1.064, Release 0809P27
  3. #
  4. sysname HPE
  5. #
  6. clock timezone Bucharest add 02:00:00
  7. clock protocol none
  8. #
  9. dialer-group 1 rule ip permit
  10. dialer-group 2 rule ip permit
  11. #
  12. dhcp enable
  13. dhcp server always-broadcast
  14. #
  15. dns proxy enable
  16. #
  17. password-recovery enable
  18. #
  19. vlan 1
  20. #
  21. vlan 10
  22. #
  23. vlan 20
  24. #
  25. dhcp server ip-pool lan1
  26. gateway-list 192.168.0.1
  27. network 192.168.0.0 mask 255.255.254.0
  28. address range 192.168.1.100 192.168.1.200
  29. dns-list 193.231.252.1 213.154.124.1
  30. #
  31. controller Cellular0/0
  32. description Multiple_Line_Other
  33. serial-set 0
  34. #
  35. controller Cellular0/1
  36. #
  37. interface Dialer0
  38. bandwidth 1000000
  39. ppp chap password cipher $c$3$oR4YtxoF7TjdoJhYO/yk64QBY/beUMCsxleuy5I= 
  40. ppp chap user CRPBB253005505 
  41. ppp ipcp dns admit-any 
  42. ppp ipcp dns request 
  43. ppp pap local-user CRPBB253005505 password cipher $c$3$dOnRFmZ2zaFLn4n8xJO8MFzOnl2NN7azhNHbubo= 
  44. dialer bundle enable
  45. dialer-group 2
  46. dialer timer idle 0
  47. dialer timer autodial 5
  48. ip address ppp-negotiate
  49. qos car inbound any cir 1000000 cbs 62500000 ebs 0 green pass red discard yellow pass
  50. qos car outbound any cir 1000000 cbs 62500000 ebs 0 green pass red discard yellow pass
  51. nat outbound
  52. nat server protocol tcp global current-interface 80 inside 192.168.1.2 80
  53. nat server protocol tcp global current-interface 9988 inside 192.168.1.2 9988
  54. nat server protocol udp global current-interface 9989 inside 192.168.1.2 9989
  55. nat server protocol udp global current-interface 10001 inside 192.168.1.2 10001
  56. nat static enable
  57. #
  58. interface Serial0/0:0
  59. shutdown
  60. ppp ipcp dns admit-any 
  61. ppp ipcp dns request 
  62. dialer circular enable
  63. dialer-group 1
  64. dialer timer autodial 5
  65. dialer number *99# autodial
  66. ip address ppp-negotiate
  67. qos car inbound any cir 100000 cbs 6250000 ebs 0 green pass red discard yellow pass
  68. qos car outbound any cir 100000 cbs 6250000 ebs 0 green pass red discard yellow pass
  69. nat outbound
  70. nat static enable
  71. #
  72. interface NULL0
  73. #
  74. interface Vlan-interface1
  75. ip address 192.168.0.1 255.255.254.0
  76. tcp mss 1280
  77. #
  78. interface Vlan-interface10
  79. ip address 192.168.10.1 255.255.255.0
  80. #
  81. interface Vlan-interface20
  82. #
  83. interface GigabitEthernet0/0
  84. port link-mode route
  85. description Multiple_Line
  86. pppoe-client dial-bundle-number 0
  87. #
  88. interface GigabitEthernet0/5
  89. port link-mode route
  90. shutdown
  91. nat static enable
  92. #
  93. interface GigabitEthernet0/1
  94. port link-mode bridge
  95. port access vlan 10
  96. #
  97. interface GigabitEthernet0/2
  98. port link-mode bridge
  99. #
  100. interface GigabitEthernet0/3
  101. port link-mode bridge
  102. #
  103. interface GigabitEthernet0/4
  104. port link-mode bridge
  105. port access vlan 20
  106. #
  107. security-zone name Local
  108. #
  109. security-zone name Trust
  110. #
  111. security-zone name DMZ
  112. import interface Vlan-interface10
  113. #
  114. security-zone name Untrust
  115. #
  116. security-zone name Management
  117. #
  118. scheduler logfile size 16
  119. #
  120. line class console
  121. user-role network-admin
  122. #
  123. line class tty
  124. user-role network-operator
  125. #
  126. line class vty
  127. user-role network-operator
  128. #
  129. line con 0
  130. user-role network-admin
  131. #
  132. line tty 1
  133. user-role network-operator
  134. modem enable both
  135. #
  136. line vty 0 63
  137. authentication-mode scheme
  138. user-role network-operator
  139. #
  140. ip route-static 0.0.0.0 0 Serial0/0:0
  141. ip route-static 0.0.0.0 0 Dialer0
  142. #
  143. password-control enable 
  144. undo password-control aging enable 
  145. undo password-control history enable 
  146. password-control length 6
  147. password-control login-attempt 3 exceed lock-time 10
  148. password-control update-interval 0
  149. password-control login idle-time 0
  150. #
  151. domain system
  152. #
  153. domain default enable system
  154. #
  155. role name level-0
  156. description Predefined level-0 role
  157. #
  158. role name level-1
  159. description Predefined level-1 role
  160. #
  161. role name level-2
  162. description Predefined level-2 role
  163. #
  164. role name level-3
  165. description Predefined level-3 role
  166. #
  167. role name level-4
  168. description Predefined level-4 role
  169. #
  170. role name level-5
  171. description Predefined level-5 role
  172. #
  173. role name level-6
  174. description Predefined level-6 role
  175. #
  176. role name level-7
  177. description Predefined level-7 role
  178. #
  179. role name level-8
  180. description Predefined level-8 role
  181. #
  182. role name level-9
  183. description Predefined level-9 role
  184. #
  185. role name level-10
  186. description Predefined level-10 role
  187. #
  188. role name level-11
  189. description Predefined level-11 role
  190. #
  191. role name level-12
  192. description Predefined level-12 role
  193. #
  194. role name level-13
  195. description Predefined level-13 role
  196. #
  197. role name level-14
  198. description Predefined level-14 role
  199. #
  200. user-group system
  201. #
  202. local-user admin class manage
  203. service-type telnet http
  204. authorization-attribute user-role network-admin
  205. #
  206. cwmp
  207. cwmp enable
  208. #
  209. ip http enable
  210. #
  211. ips signature auto-update-url https://tmc.tippingpoint.com/TMC/msrIPSDVInfo
  212. #
  213. return
  214.  
0 Kudos
akg7
HPE Pro

‎06-14-2021 11:54 PM

‎06-14-2021 11:54 PM

Re: Security zone configuration

Hello,

Are you getting message when you are importing  interfacwe gi0/1  into 'security-zone name DMZ'?

Can you try to make interface gi0/1 as route port and import into the zone?

Adding HPE FlexNetwork MSR Router Series configuration file link for your reference:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00101876en_us

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
Sabian
Occasional Advisor

‎06-15-2021 12:59 AM

‎06-15-2021 12:59 AM

Re: Security zone configuration

Hi,

In the Web Manager, Edit Security Zone DMZ I have in the list of available interfaces only GE0/0, GE0/5 and all VLANs.

I am a begginer and I try to understand the way HPE router works. In cheap router I solved this server issue introducing the IP of the server in to DMZ zone. On the HPE router I need to do some pair links based on trafic and the DMZ zone is isolated logicaly and phisicaly. My server use 2 ports on TCP (80 and 9988) and UDP (10001 and 9989).

Please give me a recommandation about how to do it on this router.

Best regards,

Sabian

0 Kudos
Sabian
Occasional Advisor

‎06-16-2021 09:45 AM

‎06-16-2021 09:45 AM

Re: Security zone configuration

Hi,

I partialy solved this, in case you have one server, with this Port forwarding mechanism:

  •   nat outbound
  •   nat server protocol tcp global current-interface 80 inside 192.168.1.2 80
  •   nat server protocol tcp global current-interface 9988 inside 192.168.1.2 9988
  •   nat server protocol udp global current-interface 9989 inside 192.168.1.2 9989
  •   nat server protocol udp global current-interface 10001 inside 192.168.1.2 10001
  •   nat static enable

I did this after I setup a new VLAN for this server but on the VLAN the internet access is affected.

0 Kudos
Sabian
Occasional Advisor

‎07-06-2021 06:24 AM

‎07-06-2021 06:24 AM

Re: Security zone configuration

Hello,

Case closed! MSR954 it is not on the hardware compatibility for security zones and objects! This is the correct answer! But I learn a lot trying to work with security zones! So in this moment I will search for another way to do DMZ for servers.

Best regards,

Sabian

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.