beautypg.com

Ip firewall network-group – Enterasys Networks X-Pedition XSR CLI User Manual

Page 666

background image

Firewall Feature Set Commands

16-122 Configuring Security

Also, all firewall object names including pre‐defined objects such as ANY_EXTERNAL and user‐
defined object names are case‐sensitive.

Syntax

ip firewall network name {A.B.C.D mask A.B.C.D | A.B.C.D A.B.C.D}{internal |
external}

Syntax of the “no” Form

The no form of this command disables the firewall network object:

no ip firewall network name

Syntax

Global configuration: 

XSR(config)#

Example

This example defines internal and external IP addresses for the network objects sales and remote‐
access. Note how the internal and external tags have meaning in the way the network objects are 
used in a policy.

XSR(config)#ip firewall network sales 192.168.100.0 mask 255.255.255.0 internal

XSR(config)#ip firewall network remote-access 10.1.1.0 mask 255.255.255.0 external

ip firewall network-group

This command comprises a set of network objects, serving the same function as a network object. 
Intrinsic values ANY_INTERNAL (all internal network objects defined) and ANY_EXTERNAL 
(all external network objects defined) are a convenient option to define a set of network objects.

Membership in these sets is unlimited.

A name for any firewall object must use these alpha‐numeric characters only

A

 ‐ 

Z

 (upper or lower 

case), 

0

 ‐ 

9

-

 (dash), or

_

 (underscore). Also, all firewall object names including pre‐defined 

Notes: A DMZ is considered an internal network.

Use care when you have a configuration with internal and external addresses that overlap and exist
off the same physical interface. In this case, the XSR may not be able to identify an address in the
overlap range as being internal or external. If this is so, packets may not match policies as expected.

Once you specify a network name you cannot switch internal/external settings. To switch settings
you must delete the network and add it again.

name

Name of the network object, not to exceed 16 characters. 
Match this with 

policy

 source/destination name exactly.

A.B.C.D A.B.C.D

Start and end addresses.

A.B.C.D mask A.B.C.D

Base address and mask in dotted decimal format.

internal or external

Address qualifier.