Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 7000 dl Router Series
251252253254255256257258259260
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 255
2. Using the host <A.B.C.D> to specify a single host address. For example, entering permit
196.173.22.253 will allow all traffic from the host with an IP address of 196.173.22.253.
3. Using the <A.B.C.D> <wildcard> format to match all IP addresses in a “range”. Wildcard masks work in
reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t care”. For
example, entering deny 192.168.0.0 0.0.0.255 will deny all traffic from the 192.168.0.0/24 network.
Step 3:
Create an access control policy (using the ip policy-class command) that uses a configured access list.
Secure Router OS
access policies are used to allow, discard, or manipulate (using NAT) data for each
physical interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT). When
packets are received on an interface, the configured ACPs are applied to determine whether the data will
be processed or discarded. Possible actions performed by the access policy are as follows:
allow list <access list names>
All packets passed by the access list(s) entered will be allowed to enter the router system.
discard list <access list names>
All packets passed by the access list(s) entered will be dropped from the router system.
allow list <access list names> policy <access policy name>
All packets passed by the access list(s) entered and destined for the interface using the access policy
listed will be permitted to enter the router system. This allows for configurations to permit packets to a
single interface and not the entire system.
discard list <access list names> policy <access policy name>
All packets passed by the access list(s) entered and destined for the interface using the access policy
listed will be blocked from the router system. This allows for configurations to deny packets on a specified
interface.
nat source list <access list names> address <IP address> overload
All packets passed by the access list(s) entered will be modified to replace the source IP address with the
entered IP address. The overload keyword allows multiple source IP addresses to be replaced with the
single IP address entered. This hides private IP addresses from outside the local network.
nat source list <access list names> interface <interface> overload
All packets passed by the access list(s) entered will be modified to replace the source IP address with the
primary IP address of the listed interface. The overload keyword allows multiple source IP addresses to
be replaced with the single IP address of the specified interface. This hides private IP addresses from
outside the local network.
nat destination list <access list names> address <IP address>
All packets passed by the access list(s) entered will be modified to replace the destination IP address with
the entered IP address. The overload keyword is not an option when performing NAT on the destination IP
address; each private address must have a unique public address. This hides private IP addresses from
outside the local network.