HPE Community
Switches, Hubs, and Modems
1752815 Members
5919 Online
108789 Solutions
New Discussion юеВ

7203 Router Firewall Config

 
Umber Naut
Occasional Contributor

тАО09-29-2009 04:30 AM

тАО09-29-2009 04:30 AM

7203 Router Firewall Config

Does anyone know about configuring a firewall on a Procurve 7203 router? Specifically, does each IP Interface need an policy? I've gone through chapter 6 in the manual on firewall configuration thoroughly, but each time I lose all routing it seems even though I've done the proper "deny" statements so that private routes will continue. Any help is appreciated.
0 Kudos
1 REPLY 1
Umber Naut
Occasional Contributor

тАО09-29-2009 07:54 AM

тАО09-29-2009 07:54 AM

Re: 7203 Router Firewall Config

I have been using both the CLI and web interface to try and configure the firewall for NAT. The 7203 is handling traffic on 2 physical ethernet interfaces and has t1s connected via a t1/e1 card. It uses OSPF and has static routes as well.

My goal is to NAT from our private network on 192.168.1.0/24 to a SOHO device for our billing that is on a different private network of 10.140.146.0/24, provided by our billing vendor. This SOHO device then connects to their public servers securely.

So traffic leaving my users' PCs from 192.168.1.0/24 needs to go through the 7203 and come out with a NATed 10.140.146.0/24 IP address, or the SOHO device they provided will regect it.

My branch offices are all good and up until I enable the firewall on the config below, and then I lose connectivity to them.

Here is the running config showing my last attempt that failed -- lost connectivity to branch offices. The only difference between this config and my working, startup-config is the 10.140.146 entries on eth 0/1 and static routes and of course the firewall settings.

In my thinking (which may be waaay off), I gave eth 0/1 an ip of 10.140.146.5, and then static routes for the 3 public IPs to go to 10.140.146.2 -- the SOHO device. If I setup NAT and the firewall correctly, it should route traffic from 192.168.1.0/24 to eth 0/1 and come out with a 10.140.146.6 IP so that the soho device will accept it, but as I stated, I'm losing branch offices first before I can see whether the NAT is working:

hostname "MainSR"
enable password encrypted
!
clock timezone -5-Pacific-Time
!
ip subnet-zero
ip classless
ip routing
ip multicast-routing
!
no event-history
no logging forwarding
no logging console
logging forwarding priority-level info
logging forwarding receiver-ip 192.168.1.250
no logging email
logging email priority-level info
logging email sender EVTMGR
!
service password-encryption
!
ip forward-protocol udp bootps
!
!
ip firewall
ip firewall stealth
no ip firewall alg msn
no ip firewall alg h323
!
!
!
!
!
!
no autosynch-mode
no safe-mode
!
!
!
!
!
!
!
!
!
!
!
!
interface loop 1
ip address 192.168.250.10 255.255.255.0
no shutdown
!
interface eth 0/1
ip address 192.168.1.5 255.255.255.0
ip address 10.140.146.5 255.255.255.0 secondary
ip address 192.168.2.5 255.255.255.0 secondary
ip address 192.168.3.5 255.255.255.0 secondary
ip address 192.168.4.5 255.255.255.0 secondary
ip pim sparse-mode
access-policy soho-sz
! Access-policy will not be used until IP firewall is enabled
no shutdown
!
!
interface eth 0/2
encapsulation 802.1q
no shutdown
!
interface eth 0/2.1
vlan-id 4
no shutdown
ip address 10.99.0.1 255.255.255.0
ip address 10.99.5.1 255.255.255.0 secondary
ip helper-address 10.99.0.2

!
!
!
interface t1 3/1
description Branch1
tdm-group 1 timeslots 3-24 speed 64
no shutdown
!
interface t1 3/2
description Branch2
tdm-group 1 timeslots 3-24 speed 64
no shutdown
!
interface t1 3/3
description Branch3
tdm-group 1 timeslots 3-23 speed 64
no shutdown
!
interface t1 3/4
description Branch4
tdm-group 1 timeslots 4-24 speed 64
no shutdown
!
interface t1 3/5
description Branch5
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 3/6
shutdown
!
interface t1 3/7
shutdown
!
interface t1 3/8
shutdown
!
interface ppp 1
description Branch1
ip address 192.168.6.2 255.255.255.0
ip pim sparse-mode
no shutdown
bind 1 t1 3/1 1 ppp 1
!
interface ppp 2
description Branch2
ip address 192.168.8.2 255.255.255.0
ip pim sparse-mode
no shutdown
bind 2 t1 3/2 1 ppp 2
!
interface ppp 3
description Branch3
ip address 192.168.10.2 255.255.255.0
ip pim sparse-mode
no shutdown
bind 3 t1 3/3 1 ppp 3
!
interface ppp 4
description Branch4
ip address 192.168.12.2 255.255.255.0
ip pim sparse-mode
no shutdown
bind 4 t1 3/4 1 ppp 4
!
interface ppp 5
description Branch5
ip address 192.168.14.2 255.255.255.0
ip pim sparse-mode
no shutdown
bind 5 t1 3/5 1 ppp 5
!
!
!
!
router ospf
network 192.168.1.0 0.0.0.255 area 0
network 192.168.6.0 0.0.0.255 area 1
network 192.168.8.0 0.0.0.255 area 2
network 192.168.10.0 0.0.0.255 area 3
network 192.168.12.0 0.0.0.255 area 4
network 10.99.0.0 0.0.0.255 area 0
network 10.99.3.0 0.0.0.255 area 3
network 10.99.2.0 0.0.0.255 area 2
network 10.99.1.0 0.0.0.255 area 1
network 10.99.4.0 0.0.0.255 area 4
network 10.99.5.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
network 10.99.6.0 0.0.0.255 area 5
network 192.168.14.0 0.0.0.255 area 5
area 0 range 192.168.1.0 255.255.255.0 advertise
area 1 stub
area 1 range 192.168.6.0 255.255.255.0 advertise
area 1 range 192.168.7.0 255.255.255.0 advertise
area 2 stub
area 2 range 192.168.8.0 255.255.255.0 advertise
area 2 range 192.168.9.0 255.255.255.0 advertise
area 3 stub
area 3 range 192.168.10.0 255.255.255.0 advertise
area 3 range 192.168.11.0 255.255.255.0 advertise
area 4 stub
area 4 range 192.168.12.0 255.255.255.0 advertise
area 4 range 192.168.13.0 255.255.255.0 advertise
area 5 stub
area 5 range 192.168.14.0 255.255.255.0 advertise
area 5 range 192.168.15.0 255.255.255.0 advertise
!
!
router pim-sparse
rp-address 192.168.1.5
!
!
ip access-list extended web-acl-1
remark soho-szp
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255 log
permit ip any host 10.140.146.2 log
!
ip policy-class soho-sz
nat source list web-acl-1 address 10.140.146.6 overload
!
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 34.79.244.5 255.255.255.255 10.140.146.2
ip route 166.122.158.16 255.255.255.255 10.140.146.2
ip route 192.168.2.0 255.255.255.0 192.168.2.5
ip route 192.168.4.0 255.255.255.0 192.168.4.5
ip route 192.168.5.0 255.255.255.0 192.168.1.199
ip route 206.148.93.0 255.255.255.0 10.140.146.2
!
no ip tftp server
no ip tftp server overwrite
ip http server
ip http secure-server
ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
snmp-server community public RW
snmp-server host 192.168.1.34 traps version 1 public
!
!
!

ip sip

ip sip proxy

!

!

!
line con 0
login
password encrypted
!
line telnet 0 4
login local-userlist
password encrypted
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
sntp server 192.168.1.241 version 3
!
end
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.