- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- Re: MSR 1003-8 PAT routing and firewall
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2020 05:46 AM
07-13-2020 05:46 AM
MSR 1003-8 PAT routing and firewall
Model: JG732A Firmware: MSR1000_5.20.R2516P13.zip OS: Comware 5
The problem persists and I need help to resolve this urgently.
If I open a port on a computer on the LAN side of the MSR 1003-8 I can see the port over the internet using nmap.
If I put a tcp deny any and a udp deny any as the highest ACL rules on the WAN interface this stops services like onedrive from running on PCs that reside on the LAN interface. So I remove the udp and tcp deny any and my ports appear to nmap on the Internet.
Key aspects of the config are below
#
firewall enable
#
port-security enable
#
acl number 3100
description ExternaltoResearchnet
rule 2 permit udp destination 100.100.20.0 0.0.0.255 destination-port eq 3389
rule 3 permit tcp destination 100.100.20.0 0.0.0.255 destination-port eq 3389
rule 10 deny tcp destination-port eq domain
rule 11 deny udp destination-port eq dns
rule 20 permit tcp source 100.100.18.50 0 destination-port eq 22
rule 21 permit tcp source 100.100.19.109 0 destination-port eq 22
rule 30 deny tcp destination 100.100.20.0 0.0.0.255 destination-port eq 1723
rule 31 deny udp destination 100.100.20.0 0.0.0.255 destination-port eq 1723
acl number 3200
rule 0 permit tcp source 100.100.20.0 0.0.0.255
rule 1 permit udp source 100.100.20.0 0.0.0.255
rule 2 deny ip source 100.100.20.210 0
#
vlan 1
#
vlan 20
#
interface Vlan-interface20
ip address 100.100.20.254 255.255.255.0
dhcp server apply ip-pool vlan20
firewall packet-filter 3200 inbound
#
interface GigabitEthernet0/0
port link-mode route
description external
firewall packet-filter 3100 inbound
ip address 100.100.21.10 255.255.255.240
dns server 10.10.10.1
dns server 10.10.11.1
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet0/3
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
interface GigabitEthernet0/6
port link-mode bridge
#
interface GigabitEthernet0/7
port link-mode bridge
#
interface GigabitEthernet0/8
port link-mode bridge
#
interface GigabitEthernet0/9
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 100.100.21.13
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2020 09:58 PM
07-15-2020 09:58 PM
Re: MSR 1003-8 PAT routing and firewall
Hello @Mark_Gregory
I am afraid that I could not be much of a help, So I would suggest you to contact the HPE support and log support.
I work for HPE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2020 08:02 PM
07-22-2020 08:02 PM
Re: MSR 1003-8 PAT routing and firewall
I've determined that it would be best to find an example of how to use COMWARE 5 to do routing and firewall between two public IP ranges in both directions. Any examples welcome.
The MSR appears to be blocking the internal public IP range from transiting out the WAN interface when the firewall rules include a deny IP any as the last statement on the WAN interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2020 08:16 PM
07-24-2020 08:16 PM
Re: MSR 1003-8 PAT routing and firewall
anyone? Are there any examples of how to use the MSR firewall without nat between two public subnets? Examples of the net-to-net static nat would be welcome