security-config [firewall-ipv4-dmz-wan-inbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
nat_ip type Auto, WAN1, WAN2, WAN3, or WAN4
Specifies the type of NAT IP address for a nonblocking rule:
• Auto. The source address of the outgoing packets is autodetected through the configured routing and load balancing rules.
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected WAN interface.
Note: The nat_ip type and nat_ip address keywords are mutually exclusive.
nat_ip address ipaddress The NAT IP address, if the address is different from the IP address of a WAN interface, for example, a secondary WAN IP address.
Note: The nat_ip type and nat_ip address keywords are mutually exclusive.
Step 1 Format security firewall ipv4 add_rule dmz_wan inbound Mode security
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Step 2 Format service_name {default_services <default service name> | {custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 | Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK {schedule {Schedule1 | Schedule2 | Schedule3}}}
send_to_dmz_server_ip <ipaddress>
translate_to_port_number enable {N | Y {translate_to_port_number port <number>}}
{wan_destination_ip_address {WAN1 | WAN2 | WAN3 | WAN4}
wan_destination_ip_address_start <ipaddress>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
Mode security-config [firewall-ipv4-dmz-wan-inbound]
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Service name, action, and schedule service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT, BOOTP_SERVER, CU-SEEME:UDP, CU-SEEME:TCP, DNS:UDP, DNS:TCP, FINGER, FTP, HTTP, HTTPS, ICMP-TYPE-3, ICMP-TYPE-4, ICMP-TYPE-5, ICMP-TYPE-6, ICMP-TYPE-7, ICMP-TYPE-8, ICMP-TYPE-9, ICMP-TYPE-10, ICMP-TYPE-11, ICMP-TYPE-13, ICQ, IMAP2, IMAP3, IRC, NEWS, NFS, NNTP, PING, POP3, PPTP, RCMD, REAL-AUDIO, REXEC, RLOGIN, RTELNET, RTSP:TCP, RTSP:UDP, SFTP, SMTP, SNMP:TCP, SNMP:UDP, SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET, SSH:TCP, SSH:UDP, STRMWORKS,
Specifies the default service and protocol to which the firewall rule applies.
service_name custom_services
custom service name The custom service that you have configured with the security services add command and to which the firewall rule applies.
action ALWAYS_BLOCK, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW, or ALLOW_BY_SCHEDULE_ELSE_BLOCK
Specifies the type of action to be enforced by the rule.
schedule Schedule1, Schedule2, or Schedule3
Specifies the schedule, if any, that is applicable to the rule.
DMZ server address, port number translation, and WAN destination address
send_to_dmz_server_ip ipaddress The IP address of the DMZ server.
translate_to_port_number
number The port number (integer) if port forwarding is enabled. Valid numbers are 0 through 65535.
wan_destination_ip_address WAN1, WAN2, WAN3, or WAN4 Specifies the IP address of the selected WAN interface as the destination address.
Note: The
wan_destination_ip_address and
wan_destination_ip_address_start
keywords are mutually exclusive.
wan_destination_ip_address_start ipaddress The WAN IP address, if the destination address is different from the IP address of a WAN interface, for example, a secondary WAN IP address.
Note: The
wan_destination_ip_address and
wan_destination_ip_address_start
keywords are mutually exclusive.
DMZ user addresses and WAN user addresses
dmz_users ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
Specifies the type of DMZ address.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Command example:
dmz_user_start_ip ipaddress There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS.
• The start IP address if the dmz_users keyword is set to ADDRESS_RANGE.
dmz_user_end_ip ipaddress The end IP address if the dmz_users keyword is set to ADDRESS_RANGE.
wan_users address_wise ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and group_wise keywords are mutually exclusive.
wan_user_start_ip ipaddress There are two options:
• The IP address if the wan_user keyword is set to
SINGLE_ADDRESS.
• The start IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_user_end_ip ipaddress The end IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_users group_wise group name The name of the WAN IP group.
The WAN IP group name is a name that you have specified with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
QoS profile and logging
qos_profile profile name The name of the QoS profile that you have specified with the security services qos_profile add command.
log NEVER or ALWAYS Specifies whether logging is
disabled or enabled.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
security-config[firewall-ipv4-dmz-wan-inbound]> translate_to_port_number port 6700
security-config[firewall-ipv4-dmz-wan-inbound]> wan_destination_ip_address_start 10.168.50.1 security-config[firewall-ipv4-dmz-wan-inbound]> wan_users Single_Address
security-config[firewall-ipv4-dmz-wan-inbound]> wan_user_start_ip 10.132.215.4 security-config[firewall-ipv4-dmz-wan-inbound]> log Always
security-config[firewall-ipv4-dmz-wan-inbound]> save
Related show command: show security firewall ipv4 setup dmz_wan