Firewall Configuration Example 559
www server address 129.38.1.3. The enterprise address to the outside is
202.38.160.1.Address conversion has been configured on the router so that the
internal PC can access the Internet, and the external PC can access the internal
server. By configuring a firewall, the following are expected:
■ Only specific users from external network can access the internal server.
■ Only a specific internal host can access the external network.
In this example, assume that the IP address of a specific external user is
202.39.2.3.
Figure 172 Sample networking of firewall configuration
1 Enable firewall
[Router]firewall enable
2 Configure firewall default filtering mode as packet pass permitted
[Router]firewall default permit
3 Configure access rules to inhibit passing of all packets
[Router] acl 101
[Router-acl-101] rule deny ip source any destination any
4 Configure rules to permit specific host to access external network, to permit
internal server to access external network.
[Router-acl-101] rule permit ip source 129.38.1.4 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.1 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.2 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.3 0 destination any
5 Configure rules to permit specific external user to access internal server
[Router] acl 102
[Router-acl-102] rule permit tcp source 202.39.2.3 0 destination
202.38.160.1 0
Enterprise Ethernet
Quidway
router
www server
Specific internal PC
WAN
129.38.1.3
Ftp server
129.38.1.1
Telnet server
129.38.1.2
1
29.38.1.4
129.38.1.5
202.38.160.1
Specific external PC
Router