Table of Contents
Advertisement
Firewall CLI Commands
The XSR provides configuration objects which, used in policy rules, can be specified at the CLI.
These and other firewall commands are, as follows:
•
Network - Identifies a network or host. A network with a subnet address or a host with an
address and 32-bit mask is specified with
configures a network or host residing on the trusted/internal or un-trusted/ external
network.
You can configure a network object from an internal address to any address on the Internet as
follows:
XSR(config)#ip firewall network Any_address 1.0.0.1 255.255.255.254 external
or
XSR(config)#ip firewall network Internet 0.0.0.0 mask 0.0.0.0 external
•
Network group - Defines a group of network objects - you can group up to ten for simpler
configuration referenced by a single name with
pre-defined ANY_EXTERNAL and ANY_INTERNAL groups are maintained automatically by
the firewall as long as you have defined at least one other internal or external group.
•
Service - Specifies an application's protocol and source/destination ports with
service.
packets with the destination port. TCP and UDP protocols are supported. Intrinsic services for
all ports are ANY_TCP for TCP port ranges, and ANY_UDP for UDP port ranges.
•
Service group - Aggregates a number of service objects with
Typically, the service-group name is the specified application. You can group up to 10 objects.
•
Policy - Defines which applications can traverse the firewall and in which direction with
firewall policy
allow, allow-auth, reject, log, reject, cls, etc. Configuration must observe these rules:
–
–
–
–
Caution: Use care not to overlap internal and external address ranges since internal ranges take
precedence over external ranges, and if an address exists in both ranges, the internal address will
be considered for policy matching. In certain situations this may cause unexpected results,
specifically if the other address in a policy is also internal and you expect a match for a policy rule
to use that internal address against a wildcard such as ANY_EXTERNAL as the second address.
This rule will not be matched if the address you expect to be part of ANY_EXTERNAL is also
defined in an internal address range.
Packets with the source port in the specified range will match this service as will
. Packets which match addresses and service are processed by these actions:
Any address combination - You can define network addresses as follows: external to
internal, internal to external, and internal to internal. External to external is not supported.
Rule order - Earlier entered rules take precedence.
Deny All for Unicast packets - The XSR firewall observes a DENY ALL default policy. So,
unless explicitly allowed, all packets are dropped both ways.
You should set a rule at the end of your configuration to handle default behavior in a
specific direction. For example, in order to allow all packets from internal to external
except for Telnet and FTP packets, rules for these applications must be defined first.
Then you must define a rule allowing access to ANY_INTERNAL source and
ANY_EXTERNAL destination for any service. These values are case-sensitive.
ip firewall network
ip firewall network-group
ip firewall service-group
Firewall CLI Commands
. The command also
. The intrinsic,
ip firewall
XSR User's Guide 16-19
.
ip
Advertisement
Table of Contents
Troubleshooting
