Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Configuring 7102dl

Sam Chhlang
Occasional Visitor

Configuring 7102dl

I'm fairly new to networking so hopefully I can explain my problem so that you guys can understand. I'm trying to setup a 7102dl router to a T1 line. We have the T1 module installed. I also want to setup a DMZ for our web server. My question is, do I configure the T1 interface for internet access, the eth 0/1 interface for internal, and eth 0/2 for the DMZ? And to setup a DMZ, do I create a security zone for it? Also, will I have internet access by just using the firewall wizard through the web GUI? and do I need to create ACLs?
Mohieddin Kharnoub
Honored Contributor

Re: Configuring 7102dl


Your scenario will be like this:

- Create a DMZ in security Zones.
- Configure the T1 interface for internet access.
- Configure DMZ to have one of the Ethernet interfaces.
- Configure the other Ethernet interface for your LAN.

You need now to configure firewall polices for these 3 Zones, so from LAN to Internet you can use the wizard.

I'm not sure if you can configure DMZ access through the firewall wizard also, so i think you should do it from the CLI.

I believe that VPN to DMZ can be configured by the VPN wizard.

Good Luck !!!

Science for Everyone
Olaf Borowski
Respected Contributor

Re: Configuring 7102dl

Hi Sam,

Typically, you would use NAT to grant your "inside, secure" network access to the outside world. Using NAT (network address translation), only addresses from the inside network can access the outside (Internet). If you want people from the outside accessing servers on the inside, you have to create DMZs. Look at the documentation below for some examples.
The DMZ will allow users from the Internet to access your servers, but they cannot get to your internal network. Typically mail and webserver would be in a DMZ.

Hope this helps,


fernando sabio
Occasional Contributor

Re: Configuring 7102dl

olaf wrote:

"...If you want people from the outside accessing servers on the inside, you have to create DMZs"

Q1) can you not just allow, via one to one nat ACLs that allow particular ports to forward to particular internal IPs (ie: hit on port 80 and you get on the 'lan'

i ask b/c i have a question, i'll post seperately, and not hijack this one, but that part is pertinent to both (ie: if he want's to set up vpn or rdp to his 'lan')

Olaf Borowski
Respected Contributor

Re: Configuring 7102dl

Yes you can do what you propose. Drawback: If someone gains unauthorized access to you WEB server, they have access to your LAN. If the server is on a different network, you have more control meaning you can specify what can and cannot be done between your internal network and the DMZ network.

"have to" was maybe too strong. "Should" is better.
Sam Chhlang
Occasional Visitor

Re: Configuring 7102dl

I am able to get internet access to work, but I cannot get HTTP requests from the outside to hit our web server. Here is the config, can someone take a look and tell me what I need to change?

ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
ip access-list extended self
remark Traffic to ProCurve SR
permit ip any any log
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host xx.xxx.xxx.106 eq www log
ip access-list extended wizard-pfwd-2
remark Port Forward 2
permit tcp any host xx.xxx.xxx.106 eq ftp log
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
ip policy-class Public
nat destination list wizard-pfwd-1 address 192.168.1.xxx
nat destination list wizard-pfwd-2 address 192.168.1.xxx
ip route ppp 1
ip route xx.xxx.xxx.105
Sam Chhlang
Occasional Visitor

Re: Configuring 7102dl


The firewall wizard created two zones, a Public and a Private. Eventually I will create another zone (DMZ). But I just wanted to make sure that www requests are allowed in and forwarded to our web server.
Frequent Advisor

Re: Configuring 7102dl

I can give you a sample. you can check it out.
ProCurve University San Francisco Network

Outbound public address:
Inbound HTTP global address:


interface eth 0/1
ip address
access-policy Inside

interface ppp 1
ip address
access-policy Outside

ip policy-class Inside
nat source list MatchAll interface PPP 1 overload

ip policy-class Outside
nat destination list InWeb address
discard list MatchAll

ip access-list standard MatchAll
permit any

ip access-list extended InWeb
permit tcp any host eq 80