HPE Community
Switches, Hubs, and Modems
1751691 Members
4891 Online
108781 Solutions
New Discussion юеВ

Re: Configuring 7102dl

 
Sam Chhlang
New Member

тАО01-17-2007 07:21 PM

тАО01-17-2007 07:21 PM

Configuring 7102dl

I'm fairly new to networking so hopefully I can explain my problem so that you guys can understand. I'm trying to setup a 7102dl router to a T1 line. We have the T1 module installed. I also want to setup a DMZ for our web server. My question is, do I configure the T1 interface for internet access, the eth 0/1 interface for internal, and eth 0/2 for the DMZ? And to setup a DMZ, do I create a security zone for it? Also, will I have internet access by just using the firewall wizard through the web GUI? and do I need to create ACLs?
0 Kudos
7 REPLIES 7
Mohieddin Kharnoub
Honored Contributor

тАО01-17-2007 08:25 PM

тАО01-17-2007 08:25 PM

Re: Configuring 7102dl

Hi

Your scenario will be like this:

- Create a DMZ in security Zones.
- Configure the T1 interface for internet access.
- Configure DMZ to have one of the Ethernet interfaces.
- Configure the other Ethernet interface for your LAN.

You need now to configure firewall polices for these 3 Zones, so from LAN to Internet you can use the wizard.

I'm not sure if you can configure DMZ access through the firewall wizard also, so i think you should do it from the CLI.

I believe that VPN to DMZ can be configured by the VPN wizard.

Good Luck !!!

Science for Everyone
0 Kudos
Olaf Borowski
Respected Contributor

тАО01-19-2007 03:43 AM

тАО01-19-2007 03:43 AM

Re: Configuring 7102dl

Hi Sam,

Typically, you would use NAT to grant your "inside, secure" network access to the outside world. Using NAT (network address translation), only addresses from the inside network can access the outside (Internet). If you want people from the outside accessing servers on the inside, you have to create DMZs. Look at the documentation below for some examples.
ftp://ftp.hp.com/pub/networking/software/ProCurve-SR-IP-Firewall-Config-Guide.pdf.
The DMZ will allow users from the Internet to access your servers, but they cannot get to your internal network. Typically mail and webserver would be in a DMZ.

Hope this helps,

Olaf


0 Kudos
fernando sabio
Occasional Contributor

тАО01-19-2007 06:26 AM

тАО01-19-2007 06:26 AM

Re: Configuring 7102dl

olaf wrote:

"...If you want people from the outside accessing servers on the inside, you have to create DMZs"

Q1) can you not just allow, via one to one nat ACLs that allow particular ports to forward to particular internal IPs (ie: hit 207.1.1.15 on port 80 and you get 10.1.1.15 on the 'lan'

i ask b/c i have a question, i'll post seperately, and not hijack this one, but that part is pertinent to both (ie: if he want's to set up vpn or rdp to his 'lan')


thanks.
Fernando
0 Kudos
Olaf Borowski
Respected Contributor

тАО01-19-2007 07:11 AM

тАО01-19-2007 07:11 AM

Re: Configuring 7102dl

Yes you can do what you propose. Drawback: If someone gains unauthorized access to you WEB server, they have access to your LAN. If the server is on a different network, you have more control meaning you can specify what can and cannot be done between your internal network and the DMZ network.

"have to" was maybe too strong. "Should" is better.
0 Kudos
Sam Chhlang
New Member

тАО01-25-2007 09:18 AM

тАО01-25-2007 09:18 AM

Re: Configuring 7102dl

I am able to get internet access to work, but I cannot get HTTP requests from the outside to hit our web server. Here is the config, can someone take a look and tell me what I need to change?

ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to ProCurve SR
permit ip any any log
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host xx.xxx.xxx.106 eq www log
!
ip access-list extended wizard-pfwd-2
remark Port Forward 2
permit tcp any host xx.xxx.xxx.106 eq ftp log
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list wizard-pfwd-1 address 192.168.1.xxx
nat destination list wizard-pfwd-2 address 192.168.1.xxx
!
!
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.105
!
0 Kudos
Sam Chhlang
New Member

тАО01-25-2007 09:34 AM

тАО01-25-2007 09:34 AM

Re: Configuring 7102dl

Edit:

The firewall wizard created two zones, a Public and a Private. Eventually I will create another zone (DMZ). But I just wanted to make sure that www requests are allowed in and forwarded to our web server.
0 Kudos
Lei.Ma
Frequent Advisor

тАО01-25-2007 12:51 PM

тАО01-25-2007 12:51 PM

Re: Configuring 7102dl

I can give you a sample. you can check it out.
sample:
ProCurve University San Francisco Network
192.168.1.0/24

Outbound public address: 16.1.1.1
Inbound HTTP global address: 16.1.1.2

config:

interface eth 0/1
ip address 192.168.1.1 255.255.255.0
access-policy Inside

interface ppp 1
ip address 16.1.1.1 255.255.255.248
access-policy Outside

ip policy-class Inside
nat source list MatchAll interface PPP 1 overload

ip policy-class Outside
nat destination list InWeb address 192.168.1.10
discard list MatchAll

ip access-list standard MatchAll
permit any

ip access-list extended InWeb
permit tcp any host 16.1.1.2 eq 80
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.