Cisco Systems CL-28826-01 Specifying IP Addresses During Policy Definition

6-81

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter6 Managing Policy Objects

Understanding Networks/Hosts Objects

c. Double-click each device in the Policy Object Overrides dialog box, then modify the address field

for the value required by that device.

Step 3 Define a policy that requires this object. You can use one of two methods:

•Define the policy on a single device in Device view, share the policy, then assign the policy to the

other devices. See Sharing a Local Policy, page 5-38 and Modifying Shared Policy Assignments in

Device View or the Site-to-Site VPN Manager, page5-46.

•Create a shared policy in Policy view, then assign the policy to the other devices using the

Assignments tab. See Modifying Policy Assignments in Policy View, page 5-51.

Note You can create a Networks/Hosts group object that refers to a Networks/Hosts object with an

unspecified value. You do not have to create the device-level overrides before you assign the

policy containing the object to devices.

Specifying IP Addresses During Policy Definition

Many policies and policy objects require that you enter an IP address for a host or network. For some

policies or objects, you must enter just a host, or just a network. For other policies or objects, you can

enter some combination of hosts and networks. You are prevented from entering or selecting addresses

that are not appropriate for the circumstances.

The following is a description of all acceptable formats that you can use, both for IPv4 and IPv6

addresses, although a particular policy or object might not allow specific formats (for example, interface

roles are allowed as address designations in only a very limited number of policies). If the policy or

object allows it, you can enter multiple addresses by separating them with commas.

•Networks/Hosts object. Enter the name of the object or click Select to select it from a list. You can

also create new Networks/Hosts objects from the selection list.

Note The only way to specify a fully qualified domain name (FQDN) is to use an FQDN

Networks/Hosts object, or a group object that includes an FQDN object. You cannot directly

type in an FQDN.

•Host IP address, in v4 or v6 format.

–

Complete IPv4 address; for example, 10.10.10.100

–

Complete IPv6 address, showing all eight components. For example,

2001:DB8:0:0:0DB8:800:200C:417A. It is not necessary to include the leading zeros in an

individual field. Security Manager converts the address to compressed format if possible.

–

Compressed IPv6 address, where a group of fields is replaced by two colons (::). It is common

for IPv6 addresses to contain successive hexadecimal fields of zeros. To make IPv6 addresses

less cumbersome, you can use two colons (::) to compress successive hexadecimal fields of

zeros at the beginning, middle, or end of an IPv6 address (the colons represent successive

hexadecimal fields of zeros). You can use :: at most once in an IPv6 address. For example,

2001:DB8::0DB8:800:200C:417A. The unspecified address, 0:0:0:0:0:0:0:0, can be

represented as ::. The loopback address is ::1.