LAN Routing
1748209 Members
2871 Online
108759 Solutions
New Discussion

Re: MSR 1003-8 PAT routing and firewall

 
Mark_Gregory
Advisor

MSR 1003-8 PAT routing and firewall

Model: JG732A Firmware: MSR1000_5.20.R2516P13.zip OS: Comware 5

The problem persists and I need help to resolve this urgently.

If I open a port on a computer on the LAN side of the MSR 1003-8 I can see the port over the internet using nmap.

If I put a tcp deny any and a udp deny any as the highest ACL rules on the WAN interface this stops services like onedrive from running on PCs that reside on the LAN interface. So I remove the udp and tcp deny any and my ports appear to nmap on the Internet.

Key aspects of the config are below

#
firewall enable
#
port-security enable
#
acl number 3100
description ExternaltoResearchnet
rule 2 permit udp destination 100.100.20.0 0.0.0.255 destination-port eq 3389
rule 3 permit tcp destination 100.100.20.0 0.0.0.255 destination-port eq 3389
rule 10 deny tcp destination-port eq domain
rule 11 deny udp destination-port eq dns
rule 20 permit tcp source 100.100.18.50 0 destination-port eq 22
rule 21 permit tcp source 100.100.19.109 0 destination-port eq 22
rule 30 deny tcp destination 100.100.20.0 0.0.0.255 destination-port eq 1723
rule 31 deny udp destination 100.100.20.0 0.0.0.255 destination-port eq 1723
acl number 3200
rule 0 permit tcp source 100.100.20.0 0.0.0.255
rule 1 permit udp source 100.100.20.0 0.0.0.255
rule 2 deny ip source 100.100.20.210 0
#
vlan 1
#
vlan 20
#
interface Vlan-interface20
ip address 100.100.20.254 255.255.255.0
dhcp server apply ip-pool vlan20
firewall packet-filter 3200 inbound
#
interface GigabitEthernet0/0
port link-mode route
description external
firewall packet-filter 3100 inbound
ip address 100.100.21.10 255.255.255.240
dns server 10.10.10.1
dns server 10.10.11.1
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet0/3
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
interface GigabitEthernet0/6
port link-mode bridge
#
interface GigabitEthernet0/7
port link-mode bridge
#
interface GigabitEthernet0/8
port link-mode bridge
#
interface GigabitEthernet0/9
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 100.100.21.13

3 REPLIES 3
jmpk
HPE Pro

Re: MSR 1003-8 PAT routing and firewall

Hello @Mark_Gregory 

I am afraid that I could not be much of a help, So I would suggest you to contact the HPE support and log support. 


I work for HPEAccept or Kudo
Mark_Gregory
Advisor

Re: MSR 1003-8 PAT routing and firewall

I've determined that it would be best to find an example of how to use COMWARE 5 to do routing and firewall between two public IP ranges in both directions. Any examples welcome.

The MSR appears to be blocking the internal public IP range from transiting out the WAN interface when the firewall rules include a deny IP any as the last statement on the WAN interface.

Mark_Gregory
Advisor

Re: MSR 1003-8 PAT routing and firewall

anyone? Are there any examples of how to use the MSR firewall without nat between two public subnets? Examples of the net-to-net static nat would be welcome