Filter
Top Products
Firewall Feature Set Commands
16-122 Configuring Security
Also,allfirewallobjectnamesincludingpre‐definedobjectssuchasANY_EXTERNALanduser‐
definedobjectnamesarecase‐sensitive.
Syntax
ip firewall network name {A.B.C.D mask A.B.C.D | A.B.C.D A.B.C.D}{internal |
external}
Syntax of the “no” Form
Thenoformofthiscommanddisablesthefirewallnetworkobject:
no ip firewall network name
Syntax
Globalconfiguration:XSR(config)#
Example
ThisexampledefinesinternalandexternalIPaddressesforthenetworkobjectssalesandremote‐
access.Notehowtheinternalandexternaltagshavemeaninginthewaythenetworkobjectsare
usedinapolicy.
XSR(config)#ip firewall network sales 192.168.100.0 mask 255.255.255.0 internal
XSR(config)#ip firewall network remote-access 10.1.1.0 mask 255.255.255.0 external
ip firewall network-group
Thiscommandcomprisesasetofnetworkobjects,servingthesamefunctionasanetworkobject.
IntrinsicvaluesANY_INTERNAL(allinternalnetworkobjectsdefined)andANY_EXTERNAL
(allexternalnetworkobjectsdefined)areaconvenientoptiontodefineasetofnetworkobjects.
Membershipinthesesetsisunlimited.
Anameforany
firewallobjectmustusethesealpha‐numericcharactersonly:A‐Z(upperorlower
case),
0‐9,-(dash),or _(underscore).Also,allfirewallobjectnamesincludingpre‐defined
Notes: A DMZ is considered an internal network.
Use care when you have a configuration with internal and external addresses that overlap and exist
off the same physical interface. In this case, the XSR may not be able to identify an address in the
overlap range as being internal or external. If this is so, packets may not match policies as expected.
Once you specify a network name you cannot switch internal/external settings. To switch settings
you must delete the network and add it again.
name
Nameofthenetworkobject,nottoexceed16characters.
Matchthiswith
policysource/destinationnameexactly.
A.B.C.D A.B.C.D
Startandendaddresses.
A.B.C.D mask A.B.C.D
Baseaddressandmaskindotteddecimalformat.
internal or external
Addressqualifier.