Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

36.1.6.2

Firewall and NAT

VPN clients and servers typically have their firewall enabled. To allow the in-
tended traffic to flow through the tunnel, suitable filter allow rules should be
added to your the VPN units. An example for the VPN gateway (Alice) in

figs. 36.1

and

36.2

is shown below:

Example

alice:/config/#> ip
alice:/config/ip/#> firewall
alice:/config/ip/firewall/#> filter allow in ssl0 out vlan1
alice:/config/ip/firewall/#> filter allow in vlan1 out ssl0
alice:/config/ip/firewall/#> leave
Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

alice:/#>

The VPN gateway (Alice) is typically used as a NAT gateway towards the Internet
(interface vlan2 in

figs. 36.1

and

36.2

. Below in an example of NAT configura-

tion, where ping (ICMP) and DNS requests are blocked on the upstream Interface
(vlan2).

Example

alice:/config/ip/firewall/#> nat type napt out vlan2 addfilter
alice:/config/ip/firewall/#> filter deny in vlan2 proto udp dport 53
alice:/config/ip/firewall/#> filter deny in vlan2 proto tcp dport 53
alice:/config/ip/firewall/#> filter deny in vlan2 proto icmp
alice:/config/ip/firewall/#> filter allow proto icmp
alice:/config/ip/firewall/#> leave
Starting ZeroConf IPv4 link-local daemon ................... [ OK ]
Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

alice:/#>

➞ 2015 Westermo Teleindustri AB

851