needs to access some static users to a server ip using firewall filter

infiniti_wins · ‎02-19-2011

Folks,

I have 5 Static IP's in user vlan (200) , and these static ip's should have access to both internet and particular vlan 201 , which also has a static ip . I have configured firewall filter as shown below and applied inside on vlan 200 . After this, i dont see the restriction from other vlan 200 users (dhcp ones ) on accessing vlan 201 .

Could you please advise of the below script ?

set interfaces vlan unit 201 family inet filter input Only-Vlan201

set firewall family inet filter Only-Vlan201 term T1 from source-address 192.168.200.x/32 set firewall family inet filter Only-Vlan201 term T1 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T1 then accept

set firewall family inet filter Only-Vlan201 term T2 from source-address 192.168.200.x/32 set firewall family inet filter Only-Vlan201 term T2 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T2 then accept

set firewall family inet filter Only-Vlan201 term T3 from source-address 192.168.200.x/32 set firewall family inet filter Only-Vlan201 term T3 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T3 then accept

set firewall family inet filter Only-Vlan201 term T4 from source-address 192.168.200.x/32 set firewall family inet filter Only-Vlan201 term T4 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T4 then accept

set firewall family inet filter Only-Vlan201 term T5 from source-address 192.168.200.x/32 set firewall family inet filter Only-Vlan201 term T5 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T5 then accept

set firewall family inet filter Only-Vlan201 term T6 from source-address 192.168.200.x/32 set firewall family inet filter Only-Vlan201 term T6 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T6 then accept

set firewall family inet filter Only-Vlan201 term T7 from source-address 192.168.5.x/32 set firewall family inet filter Only-Vlan201 term T7 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T7 then accept

set firewall family inet filter Only-Vlan201 term T8 from source-address 192.168.5.x/32 set firewall family inet filter Only-Vlan201 term T8 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T8 then accept

set firewall family inet filter Only-Vlan201 term T9 from destination-address 192.168.201.x/32 set firewall family inet filter Only-Vlan201 term T9 then deny

set firewall family inet filter Only-Vlan201 term default then accept

Regards,

SID

nikolay.semov · ‎03-15-2012

I believe your T9 term should have destination address of 192.168.201.0/24.

needs to access some static users to a server ip using firewall filter

Re: needs to access some static users to a server ip using firewall filter