Home > 3Com > Router > 3Com Router User Manual

3Com Router User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual 3Com Router User Manual. The 3Com manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 561

    Page 561 Configure Firewall 557 one to use after viewing the current time range (special or normal). For example, the current system time is in special time range (which is defined by rule special acl-number ), and then the special time range rules will be used for filtering. But when the current system time is switched to the normal time range (which is defined by rule normal acl-number), the normal time range rules will be used for filtering. Perform the following configurations in system view. Ta b l e... 
    Configure Firewall 557
one to use after viewing the current time range (special or normal). For example, 
the current system time is in special time range (which is defined by 
rule special 
acl-number
), and then the special time range rules will be used for filtering. But 
when the current system time is switched to the normal time range (which is 
defined by 
rule normal acl-number), the normal time range rules will be used 
for filtering.
Perform the following configurations in system view.
Ta b l e...

    Page 562

    Page 562 558CHAPTER 39: CONFIGURING FIREWALL Ta b l e 627 Configure Rules for Applying Access Control List on Interface By default no rule for filtering messages on interface is specified. In one direction of an interface (inbound or outbound), up to 20 access rules can be applied. That is to say, 20 rules can be applied in firewall packet-filter inbound , and 20 rules can be applied in firewall packet-filter outbound. If two rules with different sequence numbers conflict, then the number with greater... 
    558CHAPTER 39: CONFIGURING FIREWALL 
Ta b l e 627   Configure Rules for Applying Access Control List on Interface
By default no rule for filtering messages on interface is specified.
In one direction of an interface (inbound or outbound), up to 20 access rules can 
be applied. That is to say, 20 rules can be applied in 
firewall packet-filter 
inbound
, and 20 rules can be applied in firewall packet-filter outbound.
If two rules with different sequence numbers conflict, then the number with 
greater...

    Page 563

    Page 563 Firewall Configuration Example 559 www server address 129.38.1.3. The enterprise address to the outside is 202.38.160.1.Address conversion has been configured on the router so that the internal PC can access the Internet, and the external PC can access the internal server. By configuring a firewall, the following are expected: ■Only specific users from external network can access the internal server. ■Only a specific internal host can access the external network. In this example, assume that the IP... 
    Firewall Configuration Example 559
www server address 129.38.1.3. The enterprise address to the outside is 
202.38.160.1.Address conversion has been configured on the router so that the 
internal PC can access the Internet, and the external PC can access the internal 
server. By configuring a firewall, the following are expected:
■Only specific users from external network can access the internal server.
■Only a specific internal host can access the external network.
In this example, assume that the IP...

    Page 564

    Page 564 560CHAPTER 39: CONFIGURING FIREWALL 6Configure rules to permit specific user to obtain data (only packets of port greater than 1024) from an external network [Router-acl-102] rule permit tcp source any destination 202.38.160.1 0.0.0.0 destination-port greater-than 1024 7Apply rule 101 on packets coming in from interface Ethernet0 [Router-Ethernet0] firewall packet-filter 101 inbound 8Apply rule 102 on packets coming in from interface Serial0 [Router-Serial0] firewall packet-filter 102 inbound 
    560CHAPTER 39: CONFIGURING FIREWALL 
6Configure rules to permit specific user to obtain data (only packets of port greater 
than 1024) from an external network
[Router-acl-102] rule permit tcp source any destination 202.38.160.1 
0.0.0.0 destination-port greater-than 1024   
7Apply rule 101 on packets coming in from interface Ethernet0
[Router-Ethernet0] firewall packet-filter 101 inbound
8Apply rule 102 on packets coming in from interface Serial0
[Router-Serial0] firewall packet-filter 102 inbound

    Page 565

    Page 565 40 CONFIGURING IPSEC This chapter covers the following topics: ■IPSec Protocol Overview ■Configuring IPSec ■Creating a Security Policy ■Displaying and Debugging IPSec ■IPSec Configuration Example ■Troubleshooting IPSec IPSec Protocol OverviewIPSec is the general name of a series of network security protocols that provide services such as access control, connectionless integrity, data authentication, anti-replay, encryption and classified encryption of data flow for both communication parties. With... 
    40
CONFIGURING IPSEC 
This chapter covers the following topics:
■IPSec Protocol Overview
■Configuring IPSec
■Creating a Security Policy
■Displaying and Debugging IPSec
■IPSec Configuration Example
■Troubleshooting IPSec 
IPSec Protocol 
OverviewIPSec is the general name of a series of network security protocols that provide 
services such as access control, connectionless integrity, data authentication, 
anti-replay, encryption and classified encryption of data flow for both 
communication parties.
With...

    Page 566

    Page 566 562CHAPTER 40: CONFIGURING IPSEC state by polling. Thus, crypto cards can synchronously process user data, which improves the speed of data encryption and decryption. For the IPSec applied at the crypto card side, the crypto cards will be unable to implement the IPSec processing if all the crypto cards on the router are in abnormal state. In this case, given that the host has been enabled to backup the crypto cards, the IPSec module of the operating system will replace the crypto cards to implement... 
    562CHAPTER 40: CONFIGURING IPSEC 
state by polling. Thus, crypto cards can synchronously process user data, which 
improves the speed of data encryption and decryption.
For the IPSec applied at the crypto card side, the crypto cards will be unable to 
implement the IPSec processing if all the crypto cards on the router are in 
abnormal state. In this case, given that the host has been enabled to backup the 
crypto cards, the IPSec module of the operating system will replace the crypto 
cards to implement...

    Page 567

    Page 567 Configuring IPSec563 policy with smaller sequence number in the same security policy group is of higher priority. ■SA (Security Association): IPSec provides security service for data streams through security association, which includes protocol, algorithm, key and other contents and specifies how to process IP messages. An SA is a unidirectional logical connection between two IPSec systems. Inbound data stream and outbound data stream are processed separately by inbound SA and outbound SA. SA is... 
    Configuring IPSec563
policy with smaller sequence number in the same security policy group is of 
higher priority. 
■SA (Security Association): IPSec provides security service for data streams 
through security association, which includes protocol, algorithm, key and other 
contents and specifies how to process IP messages. An SA is a unidirectional 
logical connection between two IPSec systems. Inbound data stream and 
outbound data stream are processed separately by inbound SA and outbound 
SA. SA is...

    Page 568

    Page 568 564CHAPTER 40: CONFIGURING IPSEC authentication and encryption, for instance), it is necessary to create two different encryption access control lists and apply them to different security policies. Encryption access control list can be used to judge both inbound communication and outbound communication. To create an encryption access control list, perform the following configurations in system view. Ta b l e 630 Create Encryption Access Control List The information transmitted between the source... 
    564CHAPTER 40: CONFIGURING IPSEC 
authentication and encryption, for instance), it is necessary to create two different 
encryption access control lists and apply them to different security policies.
Encryption access control list can be used to judge both inbound communication 
and outbound communication.
To create an encryption access control list, perform the following configurations in 
system view.
Ta b l e 630   Create Encryption Access Control List
The information transmitted between the source...

    Page 569

    Page 569 Configuring IPSec565 Configure NDEC CardsEnable the crypto cards When several crypto cards on the router work simultaneously, The commands enable and disable can be used to manage the crypto cards. To facilitate the management and debugging, you can set a crypto card to be in disabled state (disable the crypto card to process data) or enabled state as needed. Executing the enable command on a crypto card in disable state will reset and initiate it. Perform the following configurations in system... 
    Configuring IPSec565
Configure NDEC CardsEnable the crypto cards
When several crypto cards on the router work simultaneously, The commands 
enable and disable can be used to manage the crypto cards. To facilitate the 
management and debugging, you can set a crypto card to be in disabled state 
(disable the crypto card to process data) or enabled state as needed. Executing the 
enable command on a crypto card in disable state will reset and initiate it.
Perform the following configurations in system...

    Page 570

    Page 570 566CHAPTER 40: CONFIGURING IPSEC Ta b l e 634 Enable/Disable the Host to Backup the NDEC Cards By default, the host is disabled to backup the crypto cards. Defining IPSec ProposalThe IPSec saved in conversion mode needs a special security protocol and encryption/authentication algorithm to provide various security parameters for the IPSec negotiation security confederation. Both ends must use the same conversion mode for successfully negotiating IPSec security confederation. Define IPSec proposal... 
    566CHAPTER 40: CONFIGURING IPSEC 
Ta b l e 634   Enable/Disable the Host to Backup the NDEC Cards
By default, the host is disabled to backup the crypto cards.
Defining IPSec ProposalThe IPSec saved in conversion mode needs a special security protocol and 
encryption/authentication algorithm to provide various security parameters for the 
IPSec negotiation security confederation. Both ends must use the same conversion 
mode for successfully negotiating IPSec security confederation.
Define IPSec proposal...
    Start reading 3Com Router User Manual

    Related Manuals for 3Com Router User Manual

    All 3Com manuals