Switches, Hubs, and Modems
1748232 Members
3496 Online
108759 Solutions
New Discussion

HP equivalent for cisco “access-list 111 permit ip any any established”

 
blkdog
Occasional Contributor

HP equivalent for cisco “access-list 111 permit ip any any established”

Its hp 7201dl question.
I want to select traffic based on tcp state i.e. permit traffic that has been initiated from lan to come back. I only find it posible for a limited set of applications when I use ALG. So, is 7201 stateful firewall?
4 REPLIES 4
Mohieddin Kharnoub
Honored Contributor

Re: HP equivalent for cisco “access-list 111 permit ip any any established”

Hi

Yes, the 7102 is absolutely a stateful firewall.
ALG is one of way for the state of the session
and i think if you can explain little more about the situation you have, i'm sure you will find the help here.

Good Luck !!!
Science for Everyone
blkdog
Occasional Contributor

Re: HP equivalent for cisco “access-list 111 permit ip any any established”

It's just a general precaution measure. I don't want anyone in unless a connection has been initiated from inside. I hope I do not confuse anything but for IRC a port range 6665-6700 is defined. Naturally I do not open them. But when I intend to use IRC I don't exactly know which port irc will pick /works on.
Another situation is when it's a net software that utilize tcp on unknown ports, so you have no way of anticipating how it will work.I know that what I'm saying is pure rethoric and nothing specific, but I will be using the router in production environment and I want to make sure that everything goes smoothly.

Olaf Borowski
Respected Contributor

Re: HP equivalent for cisco “access-list 111 permit ip any any established”

Hi,

Are you using only the "ip firewall" command or are you NATing etc.? When you NAT, only connection from the inside are allowed. There is no way for anyone from the outside to initiate a connection to the inside. You have to specifically poke holes in the firewall to allow this. How is the 7000 being used?
blkdog
Occasional Contributor

Re: HP equivalent for cisco “access-list 111 permit ip any any established”

I use 1to1 NAT with 5 secondary ip adresses so 5 PC appear as if they are directly connected with "white" IPs. Another IP is for many-to-1 NAT and here, indeed, there is no way anybody can reach internal network.
Also another question: how can I configure access to router console with rsa public key without typing username/password every time.