Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 7000 dl Router Series
291292293294295296297298299300
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 294
Functional Notes
Secure Router OS access control policies are used to allow, discard, or manipulate (using NAT) data for
each physical interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT).
When packets are received on an interface, the configured ACPs are applied to determine whether the
data will be processed or discarded.
The following commands are contained in the policy-class:
allow list <access list names>
All packets passed by the access list(s) entered will be allowed to enter the router system.
discard list <access list names>
All packets passed by the access list(s) entered will be dropped from the router system.
allow list <access list names> policy <access policy name>
All packets passed by the access list(s) entered and destined for the interface using the access policy
listed will be permitted to enter the router system. This allows for configurations to permit packets to a
single interface and not the entire system.
discard list <access list names> policy <access policy name>
All packets passed by the access list(s) entered and destined for the interface using the access policy
listed will be blocked from the router system. This allows for configurations to deny packets on a
specified interface.
nat source list <access list names> address <IP address> overload
All packets passed by the access list(s) entered will be modified to replace the source IP address with
the entered IP address. The overload keyword allows multiple source IP addresses to be replaced
with the single IP address entered. This hides private IP addresses from outside the local network.
nat source list <access list names> interface <interface> overload
All packets passed by the access list(s) entered will be modified to replace the source IP address with
the primary IP address of the listed interface. The overload keyword allows multiple source IP
addresses to be replaced with the single IP address of the specified interface. This hides private IP
addresses from outside the local network.
nat destination list <access list names> address <IP address>
All packets passed by the access list(s) entered will be modified to replace the destination IP address
with the entered IP address. The overload keyword is not an option when performing NAT on the
destination IP address; each private address must have a unique public address. This hides private IP
addresses from outside the local network.
Usage Examples
See the Technology Review (which follows) for command syntax examples.