How to configure an interface to allow only access from certain IP addresses

20

To configure an interface to allow access from certain IP addresses, configure an ACL to match the IP addresses, reference the ACL in a traffic policy, and apply the traffic policy to the interface. For example, to allow only the user with IP address 1.1.1.2 to access GE0/0/1, run the following commands:

[HUAWEI] acl number 3030
[HUAWEI-acl-adv-3030] rule permit ip source 1.1.1.2 0
[HUAWEI-acl-adv-3030] quit
[HUAWEI] acl number 3031
[HUAWEI-acl-adv-3031] rule permit ip
[HUAWEI] traffic classifier test1
[HUAWEI-classifier-test1] if-match acl 3030
[HUAWEI] traffic classifier test2
[HUAWEI-classifier-test2] if-match acl 3031
[HUAWEI] traffic behavior test1
[HUAWEI-behavior-test1] permit
[HUAWEI] traffic behavior test2
[HUAWEI-behavior-test2] deny
[HUAWEI] traffic policy test
[HUAWEI-trafficpolicy-test] classifier test1 behavior test1
[HUAWEI-trafficpolicy-test] classifier test2 behavior test2
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy test inbound

Other related questions:
Allow specified IP addresses to access the Internet through an interface on an S series switch
You can configure an ACL-based traffic policy and apply the traffic policy to an interface on an S series switch to allow specified IP addresses to access the Internet through the interface. For example, configure GE0/0/1 to allow only the user with the IP address of 1.1.1.2 and prevent all other users to access the Internet. [HUAWEI] acl number 3030 [HUAWEI-acl-adv-3030] rule permit ip source 1.1.1.2 0 [HUAWEI-acl-adv-3030] quit [HUAWEI] acl number 3031 [HUAWEI-acl-adv-3031] rule permit ip [HUAWEI] traffic classifier test1 [HUAWEI-classifier-test1] if-match acl 3030 [HUAWEI] traffic classifier test2 [HUAWEI-classifier-test2] if-match acl 3031 [HUAWEI] traffic behavior test1 [HUAWEI-behavior-test1] permit [HUAWEI] traffic behavior test2 [HUAWEI-behavior-test2] deny [HUAWEI] traffic policy test [HUAWEI-trafficpolicy-test] classifier test1 behavior test1 [HUAWEI-trafficpolicy-test] classifier test2 behavior test2 [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy test inbound

How to configure an AR to allow only one public IP address to access intranet servers
To configure an AR to allow only one public IP address to access intranet servers, configure an ACL when you configure a NAT server.
For example, you can perform the following configurations to allow only public address 1.1.1.1 to access the intranet server (public address 2.1.1.1 and private address 10.1.1.22):
Configure an ACL to permit the source IP address 1.1.1.1.
acl number 2005
 rule 5 permit source 1.1.1.1 0 
Configure a NAT server and bind the ACL.
interface GigabitEthernet0/0/3
 nat server protocol tcp global 2.1.1.1 ftp inside 10.1.1.22 ftp acl 2005                                                            

Configuring a policy to allow port access through the web UI of the USG6000
On the web UI of the USG6000 series, choose Policy > Security Policy, select the policy to be modified, click Add, and configure the security policy to prohibit a specified source port from accessing the server.

Whether the USG2000 and USG5000 can restrict that only certain IP addresses on the intranet can access the Internet
On the web UI, choose Policy > Security Policy > Policy Matching Analysis to check the policy matching information.

Configuring the USG to allow only certain users to log in through Telnet
Configure the USG2000&5000&6000 to allow only certain users to log in through Telnet in VTY mode as follows: Create a corresponding ACL to allow only packets from a specified source address and then apply this ACL to the VTY interface. The configuration example is as follows: [USG-1]acl 3999 [USG-1-acl-adv-3999]rule permit ip source 1.1.1.1 0 [USG-1-acl-adv-3999]rule deny ip source any [USG-1-acl-adv-3999]quit [USG-1]user-interface vty 0 4 [USG-1-ui-vty0-4]authentication-mode aaa [USG-1-ui-vty0-4]protocol inbound telnet [USG-1-ui-vty0-4]acl 3999 inbound

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top