Owners Manual
Page 19
... Setting the Source Address for Probe Packets 9-17 Setting the Source Port for Probe Packets 9-17 Special Considerations for Configuring Probes 9-18 Special Considerations for ICMP Echo Probes 9-18 Special Considerations for TCP Connect Probes 9-20 Special Considerations for HTTP Request Probes 9-20 Activating and Shutting Down the Probe 9-25 Configuring...
... Setting the Source Address for Probe Packets 9-17 Setting the Source Port for Probe Packets 9-17 Special Considerations for Configuring Probes 9-18 Special Considerations for ICMP Echo Probes 9-18 Special Considerations for TCP Connect Probes 9-20 Special Considerations for HTTP Request Probes 9-20 Activating and Shutting Down the Probe 9-25 Configuring...
Owners Manual
Page 107
...host specify a single host, using the following syntax for specifying a source or destination address. Wildcard bits define which address bits the Secure Router OS should match and which address bits it should specify ip as the protocol. Configuring Backup WAN Connections Configuring Demand Routing for Backup... a Protocol When you create a permit or deny statement for the protocol. Valid protocols include: ■ AHP ■ ESP ■ GRE ■ ICMP ■ IP ■ TCP ■ UDP You can also specify a number between 0 and 255 for an extended ACL, you must configure both a...
...host specify a single host, using the following syntax for specifying a source or destination address. Wildcard bits define which address bits the Secure Router OS should match and which address bits it should specify ip as the protocol. Configuring Backup WAN Connections Configuring Demand Routing for Backup... a Protocol When you create a permit or deny statement for the protocol. Valid protocols include: ■ AHP ■ ESP ■ GRE ■ ICMP ■ IP ■ TCP ■ UDP You can also specify a number between 0 and 255 for an extended ACL, you must configure both a...
Owners Manual
Page 167
... 48 kilobits/sec Bandwidth=0 Kbps Link through ISDN Group 1:Ch 0(bri 2/2), Uptime 0:01:40 Physical dial-up connection ■ time until disconnect: 36 Interesting pkt: ICMP: src=192.168.1.1 dest=192.168.6.1 Traffic that triggered the dial-up interface used to make the connection;
... 48 kilobits/sec Bandwidth=0 Kbps Link through ISDN Group 1:Ch 0(bri 2/2), Uptime 0:01:40 Physical dial-up connection ■ time until disconnect: 36 Interesting pkt: ICMP: src=192.168.1.1 dest=192.168.6.1 Traffic that triggered the dial-up interface used to make the connection;
Owners Manual
Page 188
...demand interface. esp - Configure the demand interface. Create the demand interface by entering: ProCurve(config)# interface demand Replace with a number between 0 and 255 To specify the source...demand interface must have a unique number. number between 1 and 1024 for the ACL, enter: ProCurve(config-ext-nacl)# exit 3. From the demand interface configuration mode context, enter: Syntax: match-interesting...host |hostname | ] For example, you might enter: ProCurve(config-demand 1)# ip address 10.10.10.1 255.255.255.252 Or ProCurve(config-demand 1)# ip address 10.1.1.1 /30 c. b. ...
...demand interface. esp - Configure the demand interface. Create the demand interface by entering: ProCurve(config)# interface demand Replace with a number between 0 and 255 To specify the source...demand interface must have a unique number. number between 1 and 1024 for the ACL, enter: ProCurve(config-ext-nacl)# exit 3. From the demand interface configuration mode context, enter: Syntax: match-interesting...host |hostname | ] For example, you might enter: ProCurve(config-demand 1)# ip address 10.10.10.1 255.255.255.252 Or ProCurve(config-demand 1)# ip address 10.1.1.1 /30 c. b. ...
Owners Manual
Page 209
...OSI Layer Function application-level Application (7) allows a specific application gateway to work correctly in the presence of the firewall ProCurve Secure Router Configuration enable ALGs See "Configuring ALGs" on page 4-18 Attack Checking This chapter focuses on how to configure the ... with flags that signal known attacks. The Secure Router OS firewall automatically checks for these attacks: ■ Ping of death, IP spoofing, Internet Control Message Protocol (ICMP) floods, and falsified IP headers. The Secure Router OS firewall automatically detects and blocks specific known...
...OSI Layer Function application-level Application (7) allows a specific application gateway to work correctly in the presence of the firewall ProCurve Secure Router Configuration enable ALGs See "Configuring ALGs" on page 4-18 Attack Checking This chapter focuses on how to configure the ... with flags that signal known attacks. The Secure Router OS firewall automatically checks for these attacks: ■ Ping of death, IP spoofing, Internet Control Message Protocol (ICMP) floods, and falsified IP headers. The Secure Router OS firewall automatically detects and blocks specific known...
Owners Manual
Page 215
This blocks: ■ the WinNuke attack ■ the TCP Xmas scan 4-15 ProCurve Secure Router OS Firewall-Protecting the Internal, Trusted Network Configuring Attack Checking Packet all ICMP packets except: • echo • echo-reply • ttl expired • destination unreachable • quench falsified IP header (the length bit does not match the ...
This blocks: ■ the WinNuke attack ■ the TCP Xmas scan 4-15 ProCurve Secure Router OS Firewall-Protecting the Internal, Trusted Network Configuring Attack Checking Packet all ICMP packets except: • echo • echo-reply • ttl expired • destination unreachable • quench falsified IP header (the length bit does not match the ...
Owners Manual
Page 221
... established through the router. The Secure Router OS firewall also monitors authentication header (AH) and encapsulating security payload (ESP) sessions, which are established between tunnel interfaces on remote routers. You can also set different timeouts for attacks, the Secure Router OS firewall monitors all applications for which are used with IPSec to ensure that protocol. ProCurve Secure Router OS Firewall...
... established through the router. The Secure Router OS firewall also monitors authentication header (AH) and encapsulating security payload (ESP) sessions, which are established between tunnel interfaces on remote routers. You can also set different timeouts for attacks, the Secure Router OS firewall monitors all applications for which are used with IPSec to ensure that protocol. ProCurve Secure Router OS Firewall...
Owners Manual
Page 222
... You can range from 0 to 65,535. (The range for any RTP session. See "Enabling Firewall Traversal" on page 4-20. ProCurve Secure Router OS Firewall-Protecting the Internal, Trusted Network Configuring Timeouts for Sessions The default settings for various TCP or UDP applications by specifying the protocol...seconds. For example, enter commands such as for the specific application: Syntax: ip policy-timeout [tcp | udp] [all -ports 450 ProCurve(config)# ip policy-timeout icmp 120 You can configure a Telnet session to specify that this command: Syntax: ip policy-timeout [ahp | esp | gre...
... You can range from 0 to 65,535. (The range for any RTP session. See "Enabling Firewall Traversal" on page 4-20. ProCurve Secure Router OS Firewall-Protecting the Internal, Trusted Network Configuring Timeouts for Sessions The default settings for various TCP or UDP applications by specifying the protocol...seconds. For example, enter commands such as for the specific application: Syntax: ip policy-timeout [tcp | udp] [all -ports 450 ProCurve(config)# ip policy-timeout icmp 120 You can configure a Telnet session to specify that this command: Syntax: ip policy-timeout [ahp | esp | gre...
Owners Manual
Page 232
...If so desired, change the timeouts for events logged to email: ProCurve(config)# logging email on b. a. If so desired, enable the router to a syslog server. Set the priority level for TCP and UDP and ICMP sessions: Syntax: ip policy-timeout [tcp | udp] all -...so desired, enable log forwarding to email events. Enable log forwarding: ProCurve(config)# logging forwarding on b. ProCurve Secure Router OS Firewall-Protecting the Internal, Trusted Network Quick Start 4. Specify the syslog server address: ProCurve(config)# logging forwarding receiver-ip 8. You can enter ports as a...
...If so desired, change the timeouts for events logged to email: ProCurve(config)# logging email on b. a. If so desired, enable the router to a syslog server. Set the priority level for TCP and UDP and ICMP sessions: Syntax: ip policy-timeout [tcp | udp] all -...so desired, enable log forwarding to email events. Enable log forwarding: ProCurve(config)# logging forwarding on b. ProCurve Secure Router OS Firewall-Protecting the Internal, Trusted Network Quick Start 4. Specify the syslog server address: ProCurve(config)# logging forwarding receiver-ip 8. You can enter ports as a...
Owners Manual
Page 244
... When you create entries in the sections that follow. Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Replace with an alphanumeric descriptor that... you use the following are moved to the extended ACL configuration mode context, as shown below: ProCurve(config-ext-nacl)# Permit or Deny Traffic. To create permit and deny entries for each entry....Specify a Protocol. Valid protocols include: ■ AH (ahp) ■ ESP (esp) ■ GRE (gre) ■ ICMP (icmp) ■ IP (ip) ■ TCP (tcp) ■ UDP (udp) You can now begin to you. Valid ...
... When you create entries in the sections that follow. Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Replace with an alphanumeric descriptor that... you use the following are moved to the extended ACL configuration mode context, as shown below: ProCurve(config-ext-nacl)# Permit or Deny Traffic. To create permit and deny entries for each entry....Specify a Protocol. Valid protocols include: ■ AH (ahp) ■ ESP (esp) ■ GRE (gre) ■ ICMP (icmp) ■ IP (ip) ■ TCP (tcp) ■ UDP (udp) You can now begin to you. Valid ...
Owners Manual
Page 245
For example, if you want to block IP addresses from a specific host, such as host 192.168.1.1, to any destination, you enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.1.1 any | host | hostname | ] Table 5-4 lists the options you have for specifying both the source address and the... Table 5-4. Then replace with the IP address that represents the range of IP address that the router will check the appropriate part of the IP address. Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control To specify a source or destination address, you use...
For example, if you want to block IP addresses from a specific host, such as host 192.168.1.1, to any destination, you enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.1.1 any | host | hostname | ] Table 5-4 lists the options you have for specifying both the source address and the... Table 5-4. Then replace with the IP address that represents the range of IP address that the router will check the appropriate part of the IP address. Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control To specify a source or destination address, you use...
Owners Manual
Page 265
...-ext-nacl)# permit tcp any any To exclude traffic from a specific host, such as host 192.168.1.1, to any destination, enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.1.1 any number between 0 and 255. When you configure extended ACLs, you will configure later. Defining the Source and Destination ... All of the command options are explained in the ACP, create a deny entry. Table 5-8 shows the options you have the Secure Router OS take the action specified in the ACP entry that you will later specify in the sections that you must configure both a source and...
...-ext-nacl)# permit tcp any any To exclude traffic from a specific host, such as host 192.168.1.1, to any destination, enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.1.1 any number between 0 and 255. When you configure extended ACLs, you will configure later. Defining the Source and Destination ... All of the command options are explained in the ACP, create a deny entry. Table 5-8 shows the options you have the Secure Router OS take the action specified in the ACP entry that you will later specify in the sections that you must configure both a source and...
Owners Manual
Page 266
If you are configuring ACL entries to select TCP or UDP traffic, you specify 5-34 The Secure Router OS firewall will match the type of traffic only on another port, the firewall will not match that port. help command to your ACL. There ... and UDP. In practice, you would use the any keyword only if you wanted to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp host Specifying a Source or Destination Port for specifying ports, enter: ProCurve(config-ext-nacl)# [permit | deny] [tcp | udp] any host, a specific host, a specific IP address, or a range of IP...
If you are configuring ACL entries to select TCP or UDP traffic, you specify 5-34 The Secure Router OS firewall will match the type of traffic only on another port, the firewall will not match that port. help command to your ACL. There ... and UDP. In practice, you would use the any keyword only if you wanted to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp host Specifying a Source or Destination Port for specifying ports, enter: ProCurve(config-ext-nacl)# [permit | deny] [tcp | udp] any host, a specific host, a specific IP address, or a range of IP...
Owners Manual
Page 286
....3.10 80 Policy class "Outside": tcp (20) 192.168.100.99 1908 172.16.3.10 80 d 10.10.3.10 80 Policy class "self": icmp (50) 0.0.0.0 10 192.168.100.1 10 Figure 5-18. It also lists all ACPs assigned to interfaces and the entries in each entry in the...■ the maximum number of sessions allowed ■ the number of hits for traffic associated with the name of current sessions. ProCurve# show ip policy-stats The Secure Router OS displays the total number of the specific ACL. Viewing Access Policy Statistics You can also display a summary of sessions. Displaying...
....3.10 80 Policy class "Outside": tcp (20) 192.168.100.99 1908 172.16.3.10 80 d 10.10.3.10 80 Policy class "self": icmp (50) 0.0.0.0 10 192.168.100.1 10 Figure 5-18. It also lists all ACPs assigned to interfaces and the entries in each entry in the...■ the maximum number of sessions allowed ■ the number of hits for traffic associated with the name of current sessions. ProCurve# show ip policy-stats The Secure Router OS displays the total number of the specific ACL. Viewing Access Policy Statistics You can also display a summary of sessions. Displaying...
Owners Manual
Page 289
... address, from the display. (See Figure 5-20.) 5-57 Note Applying Access Control to Router Interfaces Troubleshooting You can enter the show ip policy-sessions command and determine that IP policy session. ■ Specify the protocol: ahp, esp, gre, icmp, tcp, udp, or a protocol number. ■ Replace with the source IP address. ■...
... address, from the display. (See Figure 5-20.) 5-57 Note Applying Access Control to Router Interfaces Troubleshooting You can enter the show ip policy-sessions command and determine that IP policy session. ■ Specify the protocol: ahp, esp, gre, icmp, tcp, udp, or a protocol number. ■ Replace with the source IP address. ■...
Owners Manual
Page 290
...problem. From the enable mode context, enter: Syntax: clear access-list [] If you want to clear all counters, enter: ProCurve# clear access-list If you want to Router Interfaces Troubleshooting Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port Policy class "Inside": tcp (...80) 192.168.20.1 2001 172.16.1.1 80 d 10.10.3.10 80 Policy class "Outside": tcp (20) 192.168.100.99 1908 Policy class "self": icmp (50...
...problem. From the enable mode context, enter: Syntax: clear access-list [] If you want to clear all counters, enter: ProCurve# clear access-list If you want to Router Interfaces Troubleshooting Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port Policy class "Inside": tcp (...80) 192.168.20.1 2001 172.16.1.1 80 d 10.10.3.10 80 Policy class "Outside": tcp (20) 192.168.100.99 1908 Policy class "self": icmp (50...
Owners Manual
Page 294
udp To specify a source or destination address, use the host keyword. After configuring the entries for that interface. Applying Access Control to Router Interfaces Quick Start To permit or deny a specific host, use the following syntax: Syntax: any | host | hostname | For example... all TCP traffic from any source to any destination, enter: ProCurve(config-ext-nacl)# permit tcp any any To deny all ICMP traffic from a range of IP addresses to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp host Note The entries are configuring an extended ACL, enter: ...
udp To specify a source or destination address, use the host keyword. After configuring the entries for that interface. Applying Access Control to Router Interfaces Quick Start To permit or deny a specific host, use the following syntax: Syntax: any | host | hostname | For example... all TCP traffic from any source to any destination, enter: ProCurve(config-ext-nacl)# permit tcp any any To deny all ICMP traffic from a range of IP addresses to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp host Note The entries are configuring an extended ACL, enter: ...
Owners Manual
Page 297
... a specific type of traffic, it will be excluded from a specific host, such as host 192.168.115.90, to any destination, enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.115.90 any " entry at the end of the following syntax: Syntax: any | host | hostname | For example, if...After configuring the entries for the ACL, exit the ACL. IP - Syntax: exit 5-65 ESP - TCP - Note Applying Access Control to Router Interfaces Quick Start To exclude a specific host from the action that you want to exclude all ICMP traffic from the action specified in the related entry in the ACP. 3.
... a specific type of traffic, it will be excluded from a specific host, such as host 192.168.115.90, to any destination, enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.115.90 any " entry at the end of the following syntax: Syntax: any | host | hostname | For example, if...After configuring the entries for the ACL, exit the ACL. IP - Syntax: exit 5-65 ESP - TCP - Note Applying Access Control to Router Interfaces Quick Start To exclude a specific host from the action that you want to exclude all ICMP traffic from the action specified in the related entry in the ACP. 3.
Owners Manual
Page 309
This entry selects all hosts with addresses between 0 and 255. When you configure one-to-one of the following: ■ icmp ■ ip ■ tcp ■ udp ■ ahp ■ esp ■ gre You can then use the following syntax: Syntax: [any address bits in ... address that select the traffic for NAT: Syntax: [permit | deny] Replace with the wildcard bits 0.0.0.31, the Secure Router OS firewall will NAT to create the permit and deny entries that the ProCurve Secure Router will not match the last five address bits in the fourth octet. The firewall will not match any | host...
This entry selects all hosts with addresses between 0 and 255. When you configure one-to-one of the following: ■ icmp ■ ip ■ tcp ■ udp ■ ahp ■ esp ■ gre You can then use the following syntax: Syntax: [any address bits in ... address that select the traffic for NAT: Syntax: [permit | deny] Replace with the wildcard bits 0.0.0.31, the Secure Router OS firewall will NAT to create the permit and deny entries that the ProCurve Secure Router will not match the last five address bits in the fourth octet. The firewall will not match any | host...
Owners Manual
Page 318
... Access Policy Statistics You can also display a summary of ACP statistics by entering the following command from the enable mode context: ProCurve# show ip policy-stats The Secure Router OS displays the total number of current sessions. (See Figure 6-8.) It also lists all ACPs assigned to view information about the...10.3.10 80 Policy class "Outside": tcp (20) 192.168.100.99 1908 172.16.3.10 80 d 10.10.3.10 80 Policy class "self": icmp (50) 0.0.0.0 10 192.168.100.1 10 Figure 6-7. Displaying IP Policy Sessions If you want to interfaces and the entries of the specific ACL. ...
... Access Policy Statistics You can also display a summary of ACP statistics by entering the following command from the enable mode context: ProCurve# show ip policy-stats The Secure Router OS displays the total number of current sessions. (See Figure 6-8.) It also lists all ACPs assigned to view information about the...10.3.10 80 Policy class "Outside": tcp (20) 192.168.100.99 1908 172.16.3.10 80 d 10.10.3.10 80 Policy class "self": icmp (50) 0.0.0.0 10 192.168.100.1 10 Figure 6-7. Displaying IP Policy Sessions If you want to interfaces and the entries of the specific ACL. ...