- Enterasys Security Router User's Guide
Configuration Examples
XSR User’s Guide 16-25
Figure 16-14 XSR with Firewall Topology
Begin by configuring network objects for private, dmz and Mgmt networks:
XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.240 internal
XSR(config)#ip firewall network private 220.150.2.32 mask 255.255.255.240
internal
XSR(config)#ip firewall network Mgmt 220.150.2.35 mask 255.255.255.255 internal
Log only critical events:
XSR(config)#ip firewall logging event-threshold 2
Allow ICMP traffic to pass between private, dmz and EXTERNAL networks:
XSR(config)#ip firewall filter okICMP private ANY_EXTERNAL protocol-id 1
XSR(config)#ip firewall filter ICMP1 dmz ANY_EXTERNAL protocol-id 1
XSR(config)#ip firewall filter ICMP2 ANY_EXTERNAL dmz protocol-id 1
Set policies between the dmz, external and Mgmt networks. Note that policy objects and names are
case-sensitive and you must cite network names exactly:
XSR(config)#ip firewall policy exttodmzhttp ANY_EXTERNAL dmz HTTP allow
bidirectional
XSR(config)#ip firewall policy exttodmzsmtp ANY_EXTERNAL dmz SMTP allow
bidirectional
XSR(config)#ip firewall policy TelnetSESS private Mgmt Telnet allow
bidirectional
Set a policy to allow any traffic to pass from private to EXTERNAL networks:
XSR(config)#ip firewall policy prvtoextprivate ANY_INTERNAL ANY_EXTERNAL allow
after
Trial load the completed configuration into the firewall engine, and if successful, load the
configuration:
XSR(config)#ip firewall load trial
XSR(config)#ip firewall load
Complete LAN and WAN interface configuration:
XSR(config-if<F1>)#interface fastethernet 1
XSR(config-if<F1>)#ip address 220.150.2.35 255.255.255.0
XSR(config-if<F1>)#no shutdown
Mail server
(SMTP)
206.12.44.16/28
XSR
Frame Relay
Web server
220.150.2.18
220.150.2.19
FE2
FE1
220.150.2.32/28
220.150.2.37
220.150.2.36
220.150.2.35
Internet
220.150.2.16/28
220.150.2.17
DMZ
Internal
S1
(HTTP)