Comware

 View Only

  • 1.  MSR 1003-8 PAT routing and firewall

    Posted Jul 13, 2020 08:47 AM

    Model: JG732A Firmware: MSR1000_5.20.R2516P13.zip OS: Comware 5

    The problem persists and I need help to resolve this urgently.

    If I open a port on a computer on the LAN side of the MSR 1003-8 I can see the port over the internet using nmap.

    If I put a tcp deny any and a udp deny any as the highest ACL rules on the WAN interface this stops services like onedrive from running on PCs that reside on the LAN interface. So I remove the udp and tcp deny any and my ports appear to nmap on the Internet.

    Key aspects of the config are below

    #
    firewall enable
    #
    port-security enable
    #
    acl number 3100
    description ExternaltoResearchnet
    rule 2 permit udp destination 100.100.20.0 0.0.0.255 destination-port eq 3389
    rule 3 permit tcp destination 100.100.20.0 0.0.0.255 destination-port eq 3389
    rule 10 deny tcp destination-port eq domain
    rule 11 deny udp destination-port eq dns
    rule 20 permit tcp source 100.100.18.50 0 destination-port eq 22
    rule 21 permit tcp source 100.100.19.109 0 destination-port eq 22
    rule 30 deny tcp destination 100.100.20.0 0.0.0.255 destination-port eq 1723
    rule 31 deny udp destination 100.100.20.0 0.0.0.255 destination-port eq 1723
    acl number 3200
    rule 0 permit tcp source 100.100.20.0 0.0.0.255
    rule 1 permit udp source 100.100.20.0 0.0.0.255
    rule 2 deny ip source 100.100.20.210 0
    #
    vlan 1
    #
    vlan 20
    #
    interface Vlan-interface20
    ip address 100.100.20.254 255.255.255.0
    dhcp server apply ip-pool vlan20
    firewall packet-filter 3200 inbound
    #
    interface GigabitEthernet0/0
    port link-mode route
    description external
    firewall packet-filter 3100 inbound
    ip address 100.100.21.10 255.255.255.240
    dns server 10.10.10.1
    dns server 10.10.11.1
    #
    interface GigabitEthernet0/1
    port link-mode route
    #
    interface GigabitEthernet0/2
    port link-mode bridge
    port access vlan 20
    #
    interface GigabitEthernet0/3
    port link-mode bridge
    port access vlan 20
    #
    interface GigabitEthernet0/4
    port link-mode bridge
    #
    interface GigabitEthernet0/5
    port link-mode bridge
    #
    interface GigabitEthernet0/6
    port link-mode bridge
    #
    interface GigabitEthernet0/7
    port link-mode bridge
    #
    interface GigabitEthernet0/8
    port link-mode bridge
    #
    interface GigabitEthernet0/9
    port link-mode bridge
    #
    ip route-static 0.0.0.0 0.0.0.0 100.100.21.13



  • 2.  RE: MSR 1003-8 PAT routing and firewall

    Posted Jul 16, 2020 12:59 AM

    Hello @Mark_Gregory 

    I am afraid that I could not be much of a help, So I would suggest you to contact the HPE support and log support. 



  • 3.  RE: MSR 1003-8 PAT routing and firewall

    Posted Jul 22, 2020 11:02 PM

    I've determined that it would be best to find an example of how to use COMWARE 5 to do routing and firewall between two public IP ranges in both directions. Any examples welcome.

    The MSR appears to be blocking the internal public IP range from transiting out the WAN interface when the firewall rules include a deny IP any as the last statement on the WAN interface.



  • 4.  RE: MSR 1003-8 PAT routing and firewall

    Posted Jul 24, 2020 11:16 PM

    anyone? Are there any examples of how to use the MSR firewall without nat between two public subnets? Examples of the net-to-net static nat would be welcome



Related Content