Figure 16-14 – Enterasys Networks Security Router X-PeditionTM User Manual

Configuration Examples

XSR User’s Guide 16-25

Figure 16-14 XSR with Firewall Topology

Begin by configuring network objects for private, dmz and Mgmt networks:

XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.240 internal
XSR(config)#ip firewall network private 220.150.2.32 mask 255.255.255.240
internal
XSR(config)#ip firewall network Mgmt 220.150.2.35 mask 255.255.255.255 internal

Log only critical events:

XSR(config)#ip firewall logging event-threshold 2

Allow ICMP traffic to pass between private, dmz and EXTERNAL networks:

XSR(config)#ip firewall filter okICMP private ANY_EXTERNAL protocol-id 1
XSR(config)#ip firewall filter ICMP1 dmz ANY_EXTERNAL protocol-id 1
XSR(config)#ip firewall filter ICMP2 ANY_EXTERNAL dmz protocol-id 1

Set policies between the dmz, external and Mgmt networks. Note that policy objects and names are
case-sensitive and you must cite network names exactly:

XSR(config)#ip firewall policy exttodmzhttp ANY_EXTERNAL dmz HTTP allow
bidirectional
XSR(config)#ip firewall policy exttodmzsmtp ANY_EXTERNAL dmz SMTP allow
bidirectional
XSR(config)#ip firewall policy TelnetSESS private Mgmt Telnet allow

bidirectional

Set a policy to allow any traffic to pass from private to EXTERNAL networks:

XSR(config)#ip firewall policy prvtoextprivate ANY_INTERNAL ANY_EXTERNAL allow
after

Trial load the completed configuration into the firewall engine, and if successful, load the
configuration:

XSR(config)#ip firewall load trial
XSR(config)#ip firewall load

Complete LAN and WAN interface configuration:

XSR(config-if<F1>)#interface fastethernet 1
XSR(config-if<F1>)#ip address 220.150.2.35 255.255.255.0
XSR(config-if<F1>)#no shutdown

Mail server

(SMTP)

206.12.44.16/28

XSR

Frame Relay

Web server

220.150.2.18

220.150.2.19

FE2

FE1

220.150.2.32/28

220.150.2.37

220.150.2.36

220.150.2.35

Internet

220.150.2.16/28

220.150.2.17

DMZ

Internal

S1

(HTTP)