asked on
HPE MSR 930 Lockdown
My superior request me to lock the the IP Address from our HPE MSR 930 Router:
• Lock down management from Internet to FirstTech IPs only. eg.116.12.xxx.xxx/255.255.
• Lock down printer ports (NATed from external IPs to Internet ones) to Australia IPs only.
eg.These are 3 subnets: 59.167.xx.xx/27 59.167.xx.xx/29 203.5.xx.xx/24
Existing Configuration
#
version 5.20.106, Release 2516P10
#
#
clock timezone "Kuala Lumpur" add 08:00:00
#
firewall enable
#
domain default enable system
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
ip http acl 2783
undo ip http enable
#
password-recovery enable
#
acl number 2000
rule 1 permit source 192.168.100.0 0.0.0.255
acl number 2783 match-order auto
rule 0 permit
#
acl number 3000
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 1
network 192.168.100.0 mask 255.255.255.0
gateway-list 192.168.100.1
dns-list 165.21.83.88 165.21.100.88
#
user-group system
group-attribute allow-guest
#
local-user netata
password cipher $c$3$CfYylcGcCTrPs9Eh+VXwp
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
#
cwmp
undo cwmp enable
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.100.1 255.255.255.0
firewall packet-filter 3000 outbound
#
interface GigabitEthernet0/0
port link-mode route
nat outbound static
nat outbound 2000
nat server protocol tcp global 116.12.203.55 www inside 192.168.100.229 www
nat server protocol tcp global 116.12.203.55 lpd inside 192.168.100.229 lpd
nat server protocol tcp global 116.12.203.55 631 inside 192.168.100.229 631
nat server protocol tcp global 116.12.203.55 9100 inside 192.168.100.229 9100
nat server protocol tcp global 116.12.203.66 www inside 192.168.100.232 www
nat server protocol tcp global 116.12.203.66 lpd inside 192.168.100.232 lpd
nat server protocol tcp global 116.12.203.66 631 inside 192.168.100.232 631
nat server protocol tcp global 116.12.203.66 9100 inside 192.168.100.232 9100
duplex full
speed 100
ip address 124.66.xxx.xxx 255.255.255.252
#
interface GigabitEthernet0/1
port link-mode bridge
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 124.66.xxx.xxx
#
dhcp server forbidden-ip 192.168.100.1 192.168.100.9
dhcp server forbidden-ip 192.168.100.101 192.168.100.254
#
dhcp enable
#
ssh server enable
ssh user netata service-type stelnet authentication-type password
#
ip https acl 2000
ip https enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
• Lock down management from Internet to FirstTech IPs only. eg.116.12.xxx.xxx/255.255.
• Lock down printer ports (NATed from external IPs to Internet ones) to Australia IPs only.
eg.These are 3 subnets: 59.167.xx.xx/27 59.167.xx.xx/29 203.5.xx.xx/24
Existing Configuration
#
version 5.20.106, Release 2516P10
#
#
clock timezone "Kuala Lumpur" add 08:00:00
#
firewall enable
#
domain default enable system
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
ip http acl 2783
undo ip http enable
#
password-recovery enable
#
acl number 2000
rule 1 permit source 192.168.100.0 0.0.0.255
acl number 2783 match-order auto
rule 0 permit
#
acl number 3000
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 1
network 192.168.100.0 mask 255.255.255.0
gateway-list 192.168.100.1
dns-list 165.21.83.88 165.21.100.88
#
user-group system
group-attribute allow-guest
#
local-user netata
password cipher $c$3$CfYylcGcCTrPs9Eh+VXwp
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
#
cwmp
undo cwmp enable
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.100.1 255.255.255.0
firewall packet-filter 3000 outbound
#
interface GigabitEthernet0/0
port link-mode route
nat outbound static
nat outbound 2000
nat server protocol tcp global 116.12.203.55 www inside 192.168.100.229 www
nat server protocol tcp global 116.12.203.55 lpd inside 192.168.100.229 lpd
nat server protocol tcp global 116.12.203.55 631 inside 192.168.100.229 631
nat server protocol tcp global 116.12.203.55 9100 inside 192.168.100.229 9100
nat server protocol tcp global 116.12.203.66 www inside 192.168.100.232 www
nat server protocol tcp global 116.12.203.66 lpd inside 192.168.100.232 lpd
nat server protocol tcp global 116.12.203.66 631 inside 192.168.100.232 631
nat server protocol tcp global 116.12.203.66 9100 inside 192.168.100.232 9100
duplex full
speed 100
ip address 124.66.xxx.xxx 255.255.255.252
#
interface GigabitEthernet0/1
port link-mode bridge
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 124.66.xxx.xxx
#
dhcp server forbidden-ip 192.168.100.1 192.168.100.9
dhcp server forbidden-ip 192.168.100.101 192.168.100.254
#
dhcp enable
#
ssh server enable
ssh user netata service-type stelnet authentication-type password
#
ip https acl 2000
ip https enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
RoutersNetworking Hardware-OtherNetworking
Last Comment
Predrag Jovic