diff --git a/doc/ChangeLog b/doc/ChangeLog index 1a8826932..a8d5faf62 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,8 @@ 2011-04-14 vadim + * platform/fwsm.xml: see #2295 Added FWSM version "3.2". According to + Cisco documentation, FWSM version 3.2 matches PIX 7. + * platform/pix.xml: see #2348: "Accounting action is not valid for FWSM platform". Actions "Accounting" and "Reject" should not appear in the drop-down list of actions in the GUI if platform is diff --git a/src/cisco_lib/NamedObjectsManager.cpp b/src/cisco_lib/NamedObjectsManager.cpp index d032288e6..6f1c6c15a 100644 --- a/src/cisco_lib/NamedObjectsManager.cpp +++ b/src/cisco_lib/NamedObjectsManager.cpp @@ -179,14 +179,16 @@ string NamedObjectsManager::getClearCommands() BaseObjectGroup* NamedObjectsManager::createObjectGroup() { BaseObjectGroup *grp = NULL; - if (platform == "pix" || platform == "fwsm") + if (platform == "pix") { if (XMLTools::version_compare(version, "8.0")<0) grp = new PIXObjectGroup(); else grp = new ASA8ObjectGroup(); - } + + if (platform == "fwsm") grp = new PIXObjectGroup(); + if (platform == "iosacl") grp = new IOSObjectGroup(); assert(grp!=NULL); diff --git a/src/cisco_lib/OSConfigurator_pix_os.cpp b/src/cisco_lib/OSConfigurator_pix_os.cpp index 9ba16005b..cc72c1a48 100644 --- a/src/cisco_lib/OSConfigurator_pix_os.cpp +++ b/src/cisco_lib/OSConfigurator_pix_os.cpp @@ -233,14 +233,18 @@ string OSConfigurator_pix_os::_printInterfaceConfiguration() if (host_os == "pix_os") { - if (XMLTools::version_compare(version, "7.0") < 0) configlet_name += "6"; - if (XMLTools::version_compare(version, "7.0") >= 0) configlet_name += "7"; + if (XMLTools::version_compare(version, "7.0") < 0) + configlet_name += "6"; + if (XMLTools::version_compare(version, "7.0") >= 0) + configlet_name += "7"; } if (host_os == "fwsm_os") { - if (XMLTools::version_compare(version, "4.0") < 0) configlet_name += "2"; - if (XMLTools::version_compare(version, "4.0") >= 0) configlet_name += "4"; + if (XMLTools::version_compare(version, "3.2") < 0) + configlet_name += "2"; + if (XMLTools::version_compare(version, "3.2") >= 0) + configlet_name += "3_2"; } cnf = new Configlet(fw, "pix_os", configlet_name); @@ -317,8 +321,8 @@ string OSConfigurator_pix_os::_printFailoverConfiguration() if (host_os == "fwsm_os") { - if (XMLTools::version_compare(version, "4.0") < 0) configlet_name += "2"; - if (XMLTools::version_compare(version, "4.0") >= 0) configlet_name += "4"; + if (XMLTools::version_compare(version, "3.2") < 0) configlet_name += "2"; + if (XMLTools::version_compare(version, "3.2") >= 0) configlet_name += "3_2"; } Configlet cnf(fw, "pix_os", configlet_name); @@ -541,7 +545,7 @@ string OSConfigurator_pix_os::_printSNMP() // for pix bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0; // for fwsm - bool version_ge_40 = XMLTools::version_compare(version, "4.0") >= 0; + bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0; Configlet cnf(fw, "pix_os", "snmp"); cnf.removeComments(); @@ -549,8 +553,8 @@ string OSConfigurator_pix_os::_printSNMP() cnf.setVariable("pix_version_lt_70", ! version_ge_70); cnf.setVariable("pix_version_ge_70", version_ge_70); - cnf.setVariable("fwsm_version_lt_40", ! version_ge_40); - cnf.setVariable("fwsm_version_ge_40", version_ge_40); + cnf.setVariable("fwsm_version_lt_32", ! version_ge_32); + cnf.setVariable("fwsm_version_ge_32", version_ge_32); bool set_communities = fw->getOptionsObject()->getBool( "pix_set_communities_from_object_data"); @@ -622,15 +626,15 @@ string OSConfigurator_pix_os::_printNTP() // for pix bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0; // for fwsm - bool version_ge_40 = XMLTools::version_compare(version, "4.0") >= 0; + bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0; Configlet cnf(fw, "pix_os", "ntp"); cnf.removeComments(); cnf.collapseEmptyStrings(true); cnf.setVariable("pix_version_lt_70", ! version_ge_70); cnf.setVariable("pix_version_ge_70", version_ge_70); - cnf.setVariable("fwsm_version_lt_40", ! version_ge_40); - cnf.setVariable("fwsm_version_ge_40", version_ge_40); + cnf.setVariable("fwsm_version_lt_32", ! version_ge_32); + cnf.setVariable("fwsm_version_ge_32", version_ge_32); string ntp_server_1=fw->getOptionsObject()->getStr("pix_ntp1"); bool ntp1_pref=fw->getOptionsObject()->getBool("pix_ntp1_pref"); @@ -827,15 +831,15 @@ string OSConfigurator_pix_os::_printSSHConfiguration() // for pix bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0; // for fwsm - bool version_ge_40 = XMLTools::version_compare(version, "4.0") >= 0; + bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0; Configlet cnf(fw, "pix_os", "ssh"); cnf.removeComments(); cnf.collapseEmptyStrings(true); cnf.setVariable("pix_version_lt_70", ! version_ge_70); cnf.setVariable("pix_version_ge_70", version_ge_70); - cnf.setVariable("fwsm_version_lt_40", ! version_ge_40); - cnf.setVariable("fwsm_version_ge_40", version_ge_40); + cnf.setVariable("fwsm_version_lt_32", ! version_ge_32); + cnf.setVariable("fwsm_version_ge_32", version_ge_32); cnf.setVariable("clear", 1); cnf.setVariable("use_scp", fw->getOptionsObject()->getBool("use_scp")); diff --git a/src/res/configlets/fwsm_os/failover_commands_4 b/src/res/configlets/fwsm_os/failover_commands_3_2 similarity index 100% rename from src/res/configlets/fwsm_os/failover_commands_4 rename to src/res/configlets/fwsm_os/failover_commands_3_2 diff --git a/src/res/configlets/fwsm_os/failover_interface_4 b/src/res/configlets/fwsm_os/failover_interface_3_2 similarity index 100% rename from src/res/configlets/fwsm_os/failover_interface_4 rename to src/res/configlets/fwsm_os/failover_interface_3_2 diff --git a/src/res/configlets/fwsm_os/regular_interface_4 b/src/res/configlets/fwsm_os/regular_interface_3_2 similarity index 100% rename from src/res/configlets/fwsm_os/regular_interface_4 rename to src/res/configlets/fwsm_os/regular_interface_3_2 diff --git a/src/res/configlets/fwsm_os/snmp b/src/res/configlets/fwsm_os/snmp index a3cd5af95..ed04dd44b 100644 --- a/src/res/configlets/fwsm_os/snmp +++ b/src/res/configlets/fwsm_os/snmp @@ -13,10 +13,10 @@ ## {{if clear}} -{{if fwsm_version_lt_40}} +{{if fwsm_version_lt_32}} clear snmp-server {{endif}} -{{if fwsm_version_ge_40}} +{{if fwsm_version_ge_32}} clear config snmp-server {{endif}} {{endif}} diff --git a/src/res/configlets/fwsm_os/ssh b/src/res/configlets/fwsm_os/ssh index 4dfd029d3..47c1efb5a 100644 --- a/src/res/configlets/fwsm_os/ssh +++ b/src/res/configlets/fwsm_os/ssh @@ -13,10 +13,10 @@ ## {{if clear}} -{{if fwsm_version_lt_40}} +{{if fwsm_version_lt_32}} clear ssh {{endif}} -{{if fwsm_version_ge_40}} +{{if fwsm_version_ge_32}} clear config ssh {{endif}} {{endif}} diff --git a/src/res/configlets/fwsm_os/vlan_parent_interface_4 b/src/res/configlets/fwsm_os/vlan_parent_interface_3_2 similarity index 100% rename from src/res/configlets/fwsm_os/vlan_parent_interface_4 rename to src/res/configlets/fwsm_os/vlan_parent_interface_3_2 diff --git a/src/res/configlets/fwsm_os/vlan_subinterface_4 b/src/res/configlets/fwsm_os/vlan_subinterface_3_2 similarity index 100% rename from src/res/configlets/fwsm_os/vlan_subinterface_4 rename to src/res/configlets/fwsm_os/vlan_subinterface_3_2 diff --git a/src/res/platform/fwsm.xml b/src/res/platform/fwsm.xml index 0d3a0b6a8..66b46390d 100644 --- a/src/res/platform/fwsm.xml +++ b/src/res/platform/fwsm.xml @@ -10,7 +10,7 @@ fwb_pix_diff fwsm_os - 2.3,4.x + 2.3,3.2,4.x @@ -127,6 +127,106 @@ nameif %in %il security%sl + + true + true + true + true + true + true + false + true + info + 300 + true + true + true + false + false + true + true + true + false + + + clear config access-list + clear config object-group + clear config icmp + clear config telnet + clear config ssh + clear xlate + clear config static + clear config global + clear config nat + clear ntp + clear snmp-server + + +ip address %il %a %n + + +ip address %il dhcp setroute retry 10 + + +nameif %in %il security%sl + + + + + 3 + 0 + 0 + + 1 + 0 + 0 + + 0 + 2 + 0 + + 0 + 10 + 0 + + 0 + 5 + 0 + + 0 + 30 + 0 + + 0 + 2 + 0 + + 0 + 10 + 0 + + 2 + 0 + 0 + True + False + + 5 + 5 + + + + dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup + + false + true + true + + + + + + true true diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index ac220cbab..169d25415 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:51 2011 PDT by vadim +! Generated Thu Apr 14 16:32:44 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 44a2b9f4f..c32571f89 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:51 2011 PDT by vadim +! Generated Thu Apr 14 16:32:44 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 96267c7c5..d85237a8e 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:51 2011 PDT by vadim +! Generated Thu Apr 14 16:32:44 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 3121fcc1b..9802eff28 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:51 2011 PDT by vadim +! Generated Thu Apr 14 16:32:44 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index a2a101de1..8c51ce70d 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:34 2011 PDT by vadim +! Generated Thu Apr 14 16:32:30 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 5b5394e7f..c861d8ce9 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:34 2011 PDT by vadim +! Generated Thu Apr 14 16:32:30 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index 58042c8bb..7904598b4 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:35 2011 PDT by vadim +! Generated Thu Apr 14 16:32:30 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index a85a5e763..140e2e46f 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:35 2011 PDT by vadim +! Generated Thu Apr 14 16:32:30 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index f7c64bec2..74f05fa79 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:36 2011 PDT by vadim +! Generated Thu Apr 14 16:32:31 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 623749c5f..5ce619cb2 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:36 2011 PDT by vadim +! Generated Thu Apr 14 16:32:31 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 33f935a42..b3541d06b 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:37 2011 PDT by vadim +! Generated Thu Apr 14 16:32:32 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 5ec877685..984f6a7ed 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:37 2011 PDT by vadim +! Generated Thu Apr 14 16:32:32 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 021477a81..7628920cf 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:37 2011 PDT by vadim +! Generated Thu Apr 14 16:32:32 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index b470839cf..f7030b66a 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:38 2011 PDT by vadim +! Generated Thu Apr 14 16:32:33 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 96216285e..d3d83c507 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:38 2011 PDT by vadim +! Generated Thu Apr 14 16:32:33 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 6202f17ca..21ad3396e 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:39 2011 PDT by vadim +! Generated Thu Apr 14 16:32:33 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall23.fw.orig b/test/pix/firewall23.fw.orig index 8f506a7db..8befef620 100755 --- a/test/pix/firewall23.fw.orig +++ b/test/pix/firewall23.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:39 2011 PDT by vadim +! Generated Thu Apr 14 16:32:34 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index ca436d6ff..564e53b54 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:40 2011 PDT by vadim +! Generated Thu Apr 14 16:32:34 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index 4b359acb5..bee41d8d9 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:40 2011 PDT by vadim +! Generated Thu Apr 14 16:32:34 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 2967b1cfa..fa68ddff3 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:40 2011 PDT by vadim +! Generated Thu Apr 14 16:32:35 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index abfa20a91..e871e4bc3 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:41 2011 PDT by vadim +! Generated Thu Apr 14 16:32:35 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index 464e8ab57..525b5db9a 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:41 2011 PDT by vadim +! Generated Thu Apr 14 16:32:36 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index ebc2b51e4..258f2c716 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:41 2011 PDT by vadim +! Generated Thu Apr 14 16:32:36 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 1fdbd0984..0e622d44d 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:42 2011 PDT by vadim +! Generated Thu Apr 14 16:32:36 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 49c8acfc5..f14127369 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:43 2011 PDT by vadim +! Generated Thu Apr 14 16:32:37 2011 PDT by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 54e07be68..5e52ec479 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:43 2011 PDT by vadim +! Generated Thu Apr 14 16:32:37 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 92b116d5f..8dd9c90de 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:43 2011 PDT by vadim +! Generated Thu Apr 14 16:32:38 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 9c72bc7a8..6872e72b5 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:44 2011 PDT by vadim +! Generated Thu Apr 14 16:32:38 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 2cab3b810..ccff35357 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:44 2011 PDT by vadim +! Generated Thu Apr 14 16:32:38 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index f6c8a74bc..339d385b3 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:45 2011 PDT by vadim +! Generated Thu Apr 14 16:32:39 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 79c3b4765..8e6f70cf2 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:45 2011 PDT by vadim +! Generated Thu Apr 14 16:32:39 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index 6c06d38e7..1cd50fdc1 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:46 2011 PDT by vadim +! Generated Thu Apr 14 16:32:39 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index 26d242850..6ce29ba82 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:46 2011 PDT by vadim +! Generated Thu Apr 14 16:32:40 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig index eaa02e7ee..bac0a264a 100755 --- a/test/pix/firewall94.fw.orig +++ b/test/pix/firewall94.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:47 2011 PDT by vadim +! Generated Thu Apr 14 16:32:40 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 33f4fd0b7..aa260970f 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:48 2011 PDT by vadim +! Generated Thu Apr 14 16:32:41 2011 PDT by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index aea985a80..f915f983d 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:48 2011 PDT by vadim +! Generated Thu Apr 14 16:32:41 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/fwsm3.fw.orig b/test/pix/fwsm3.fw.orig index bee6b1d2e..7bee88506 100755 --- a/test/pix/fwsm3.fw.orig +++ b/test/pix/fwsm3.fw.orig @@ -3,9 +3,9 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:49 2011 PDT by vadim +! Generated Thu Apr 14 16:32:42 2011 PDT by vadim ! -! Compiled for fwsm 4.x +! Compiled for fwsm 3.2 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no @@ -13,9 +13,10 @@ ! !# files: * fwsm3.fw ! -! using manual commit mode - +! C fwsm3:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it +! C fwsm3:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings +! C fwsm3:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule ! ! Prolog script: @@ -110,13 +111,11 @@ service-policy global_policy global !################ -access-list mode manual +access-list mode auto clear config access-list tmp_acl -access-list commit access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any access-list tmp_acl deny ip any any -access-list commit access-group tmp_acl in interface outside access-group tmp_acl in interface inside @@ -131,38 +130,247 @@ clear config access-list inside_acl_in clear config access-list outside_acl_in clear config icmp clear config telnet -access-list commit clear config object-group -object-group network id59803X13930.src.net.0 - network-object 10.0.0.0 255.255.255.0 - network-object 10.1.0.0 255.255.255.0 - network-object 172.16.0.1 255.255.255.255 - network-object 172.16.0.2 255.255.255.255 +object-group network id37010X447.dst.net.0 + network-object host 211.11.11.11 + network-object host 211.22.22.22 +exit + +object-group service id37010X447.srv.tcp.0 tcp + port-object eq 113 + port-object eq 80 + port-object eq 443 + port-object eq 143 + port-object eq 25 + port-object eq 22 + port-object eq 540 +exit + +object-group icmp-type id37094X447.srv.icmp.0 + icmp-object 3 + icmp-object 0 + icmp-object 11 +exit + +object-group service id37122X447.srv.tcp.0 tcp + port-object eq 70 + port-object eq 6667 + port-object eq 3128 + port-object eq 23 +exit + +object-group service id37122X447.srv.udp.0 udp + port-object eq 53 + port-object eq 161 +exit + +object-group network id37207X447.dst.net.0 + network-object host 192.168.1.10 + network-object host 192.168.1.20 +exit + +object-group network id37237X447.dst.net.0 + network-object 192.168.1.250 255.255.255.254 + network-object 192.168.1.252 255.255.255.252 +exit + +object-group network id37265X447.dst.net.0 + network-object 192.168.1.250 255.255.255.254 + network-object 192.168.1.252 255.255.255.252 +exit + +object-group network id37322X447.dst.net.0 + network-object host 192.168.1.11 + network-object host 192.168.1.12 + network-object host 192.168.1.13 + network-object host 192.168.1.14 + network-object host 192.168.1.15 +exit + +object-group service id37322X447.srv.tcp.0 tcp + port-object eq 113 + port-object eq 80 + port-object eq 443 + port-object eq 143 + port-object eq 25 + port-object eq 3128 + port-object eq 22 + port-object eq 540 +exit + +object-group network id37351X447.dst.net.0 + network-object 192.168.1.11 255.255.255.255 + network-object 192.168.1.12 255.255.255.252 +exit + +object-group service id37380X447.srv.tcp.0 tcp + port-object eq 113 + port-object eq 13 + port-object eq 53 + port-object eq 2105 + port-object eq 21 + port-object eq 70 + port-object eq 80 + port-object eq 443 + port-object eq 143 + port-object eq 993 + port-object eq 6667 + port-object eq 6667 + port-object eq 543 + port-object eq 544 + port-object eq 389 + port-object eq 98 + port-object eq 3306 + port-object eq 2049 + port-object eq 119 + port-object eq 110 + port-object eq 5432 + port-object eq 515 + port-object eq 26000 + port-object eq 512 + port-object eq 513 + port-object eq 514 + port-object eq 4321 + port-object eq 25 + port-object eq 465 + port-object eq 1080 + port-object eq 3128 + port-object eq 22 + port-object eq 111 + port-object eq 23 + port-object range 10000 11000 + port-object eq 540 + port-object eq 7100 exit ! -! Rule 1 (ethernet1) -! need this rule to generate at least one object group -icmp permit 10.0.0.0 255.255.255.0 3 outside -access-list outside_acl_in permit icmp 10.0.0.0 255.255.255.0 host 22.22.22.22 3 -icmp permit 10.1.0.0 255.255.255.0 3 outside -access-list outside_acl_in permit icmp 10.1.0.0 255.255.255.0 host 22.22.22.22 3 -icmp permit host 172.16.0.1 3 outside -access-list outside_acl_in permit icmp host 172.16.0.1 host 22.22.22.22 3 -icmp permit host 172.16.0.2 3 outside -access-list outside_acl_in permit icmp host 172.16.0.2 host 22.22.22.22 3 -access-list outside_acl_in permit icmp object-group id59803X13930.src.net.0 any 3 +! Rule 2 (ethernet1) +icmp permit any 3 outside +access-list outside_acl_in permit icmp any host 22.22.22.22 3 +access-list outside_acl_in permit icmp any any 3 ! -! Rule 2 (global) +! Rule 3 (ethernet1) +! anti-spoofing rule +! fwsm3:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + +access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 +! +! Rule 4 (ethernet0) +ssh 192.168.1.0 255.255.255.0 inside +! +! Rule 5 (ethernet0) +access-list inside_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 +access-list inside_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 +access-list dmz_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 +! +! Rule 6 (ethernet0) +access-list inside_acl_in deny ip any host 192.168.1.255 +! +! Rule 8 (global) +access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 +access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 +access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 +! +! Rule 9 (global) +access-list outside_acl_in permit icmp any host 192.168.1.10 +access-list inside_acl_in permit icmp any host 192.168.1.10 +access-list dmz_acl_in permit icmp any host 192.168.1.10 +access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 +access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 +access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 +access-list outside_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 +access-list inside_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 +access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 +access-list outside_acl_in permit 47 any host 192.168.1.10 +access-list inside_acl_in permit 47 any host 192.168.1.10 +access-list dmz_acl_in permit 47 any host 192.168.1.10 +! +! Rule 10 (global) +access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300 +icmp permit any 3 inside +access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300 +icmp permit any 3 dmz +access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300 +access-list outside_acl_in permit icmp any any 3 log 0 interval 300 +access-list inside_acl_in permit icmp any any 3 log 0 interval 300 +access-list dmz_acl_in permit icmp any any 3 log 0 interval 300 +access-list outside_acl_in permit 47 any any log 0 interval 300 +access-list inside_acl_in permit 47 any any log 0 interval 300 +access-list dmz_acl_in permit 47 any any log 0 interval 300 +access-list outside_acl_in permit 50 any any log 0 interval 300 +access-list inside_acl_in permit 50 any any log 0 interval 300 +access-list dmz_acl_in permit 50 any any log 0 interval 300 +! +! Rule 12 (global) +access-list outside_acl_in permit ip object-group id37010X447.dst.net.0 object-group id37207X447.dst.net.0 +! +! Rule 13 (global) +! fwsm3:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule + +access-list inside_acl_in permit tcp host 192.168.1.10 object-group id37237X447.dst.net.0 eq 3128 +! +! Rule 14 (global) +access-list outside_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 +access-list inside_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 +access-list dmz_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 +! +! Rule 15 (global) +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 dmz +access-list outside_acl_in permit icmp any host 22.22.22.22 3 +access-list inside_acl_in permit icmp any host 192.168.1.1 3 +access-list dmz_acl_in permit icmp any host 192.168.2.1 3 +! +! Rule 16 (global) +access-list outside_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 +access-list inside_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 +access-list dmz_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 +! +! Rule 17 (global) +access-list outside_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 +access-list inside_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 +access-list dmz_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 +! +! Rule 18 (global) +! fwsm3:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it + +access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 +access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 +access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 +! +! Rule 19 (global) +! objects hostA and hostB are +! redundant and should be removed by +! removeRedundantAddressesFromDst +access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 +access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 +access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 +! +! Rule 20 (global) +access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 +access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 +access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 +! +! Rule 23 (global) +access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300 +access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300 +access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300 +! +! Rule 24 (global) +access-list outside_acl_in permit ip host 22.22.22.22 any +access-list inside_acl_in permit ip host 192.168.1.1 any +access-list dmz_acl_in permit ip host 192.168.2.1 any +access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any +! +! Rule 25 (global) access-list outside_acl_in deny ip any any log 0 interval 300 access-list inside_acl_in deny ip any any log 0 interval 300 access-list dmz_acl_in deny ip any any log 0 interval 300 -access-list commit - access-group dmz_acl_in in interface dmz access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside @@ -172,7 +380,56 @@ access-group outside_acl_in in interface outside global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 global (dmz) 1 interface -! +! +! +! Rule 1 (NAT) +nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 +! +! Rule 2 (NAT) +nat (inside) 1 0.0.0.0 0.0.0.0 0 0 +! +! +! Rule 3 (NAT) +global (outside) 1 22.22.22.0 netmask 255.255.255.0 +! +! +! Rule 4 (NAT) +global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0 +! +! +! Rule 5 (NAT) +static (inside,outside) tcp interface 25 192.168.1.10 25 0 0 +! +! Rule 6 (NAT) +global (inside) 8 interface +nat (dmz) 8 192.168.2.0 255.255.255.0 outside +! +! Rule 7 (NAT) + +clear config access-list nat0.inside +access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 +nat (inside) 0 access-list nat0.inside +! +! Rule 8 (NAT) + +access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0 + +access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0 + +access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0 + +access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0 + +access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0 +! +! Rule 9 (NAT) +nat (dmz) 0 0 0 +! +! Rule 10 (NAT) +static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 +! +! Rule 11 (NAT) +static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 diff --git a/test/pix/fwsm4.fw.orig b/test/pix/fwsm4.fw.orig new file mode 100755 index 000000000..4fe313f5b --- /dev/null +++ b/test/pix/fwsm4.fw.orig @@ -0,0 +1,184 @@ +! +! This is automatically generated file. DO NOT MODIFY ! +! +! Firewall Builder fwb_pix v4.2.0.3526 +! +! Generated Thu Apr 14 16:32:41 2011 PDT by vadim +! +! Compiled for fwsm 4.x +! Outbound ACLs: supported +! Emulate outbound ACLs: yes +! Generating outbound ACLs: no +! Assume firewall is part of any: yes +! +!# files: * fwsm4.fw +! +! using manual commit mode + + + +! +! Prolog script: +! + +! +! End of prolog script: +! + + + + +hostname fwsm4 + +interface ethernet1 + nameif outside + security-level 0 +exit + +interface ethernet0 + nameif inside + security-level 100 +exit + +interface ethernet2 + nameif dmz + security-level 50 +exit + + + +logging host inside 192.168.1.30 +logging queue 512 +logging facility 16 +logging trap 0 +no logging buffered +no logging console +no logging timestamp +logging on + + +timeout xlate 3:0:0 +timeout conn 1:0:0 +timeout udp 0:2:0 +timeout sunrpc 0:10:0 +timeout h323 0:5:0 +timeout sip 0:30:0 +timeout sip_media 0:0:0 +timeout half-closed 0:0:0 +timeout uauth 2:0:0 absolute + +telnet timeout 5 + +clear config ssh +aaa authentication ssh console LOCAL +ssh timeout 5 + +clear config snmp-server +snmp-server community public +snmp-server enable traps +snmp-server host inside 192.168.1.20 poll +snmp-server host inside 192.168.1.22 trap + + + + +no service resetinbound +sysopt connection tcpmss 1380 +sysopt nodnsalias inbound +sysopt nodnsalias outbound + + +class-map inspection_default + match default-inspection-traffic + +policy-map global_policy + class inspection_default + inspect ftp + inspect h323 h225 + inspect h323 ras + inspect http + inspect ils + inspect rsh + inspect rtsp + inspect sip + inspect skinny + inspect esmtp + inspect sqlnet + +service-policy global_policy global + + + +!################ +access-list mode manual + +clear config access-list tmp_acl +access-list commit +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any +access-list commit + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside +access-group tmp_acl in interface dmz + +clear xlate +clear config static +clear config global +clear config nat +clear config access-list dmz_acl_in +clear config access-list inside_acl_in +clear config access-list outside_acl_in +clear config icmp +clear config telnet +access-list commit +clear config object-group + + +object-group network id59803X13930.src.net.0 + network-object 10.0.0.0 255.255.255.0 + network-object 10.1.0.0 255.255.255.0 + network-object 172.16.0.1 255.255.255.255 + network-object 172.16.0.2 255.255.255.255 +exit + +! +! Rule 1 (ethernet1) +! need this rule to generate at least one object group +icmp permit 10.0.0.0 255.255.255.0 3 outside +access-list outside_acl_in permit icmp 10.0.0.0 255.255.255.0 host 22.22.22.22 3 +icmp permit 10.1.0.0 255.255.255.0 3 outside +access-list outside_acl_in permit icmp 10.1.0.0 255.255.255.0 host 22.22.22.22 3 +icmp permit host 172.16.0.1 3 outside +access-list outside_acl_in permit icmp host 172.16.0.1 host 22.22.22.22 3 +icmp permit host 172.16.0.2 3 outside +access-list outside_acl_in permit icmp host 172.16.0.2 host 22.22.22.22 3 +access-list outside_acl_in permit icmp object-group id59803X13930.src.net.0 any 3 +! +! Rule 2 (global) +access-list outside_acl_in deny ip any any log 0 interval 300 +access-list inside_acl_in deny ip any any log 0 interval 300 +access-list dmz_acl_in deny ip any any log 0 interval 300 + + +access-list commit + +access-group dmz_acl_in in interface dmz +access-group inside_acl_in in interface inside +access-group outside_acl_in in interface outside + +! +! Rule 0 (NAT) +global (outside) 1 interface +nat (inside) 1 192.168.1.0 255.255.255.0 0 0 +global (dmz) 1 interface +! + + + +! +! Epilog script: +! + +! End of epilog script: +! diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index ec2effa36..0e8413f73 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -22268,7 +22268,7 @@ no sysopt nodnsalias outbound - + @@ -22369,15 +22369,15 @@ no sysopt nodnsalias outbound - + - + - + @@ -22608,6 +22608,1144 @@ no sysopt nodnsalias outbound + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index ff357f0f2..6f836471d 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:49 2011 PDT by vadim +! Generated Thu Apr 14 16:32:42 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 9bb7d4cf2..b40d7caa3 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:49 2011 PDT by vadim +! Generated Thu Apr 14 16:32:43 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/test_net_zone_2.fw.orig b/test/pix/test_net_zone_2.fw.orig index 14b2a9ced..73cdc1ada 100755 --- a/test/pix/test_net_zone_2.fw.orig +++ b/test/pix/test_net_zone_2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 16:05:50 2011 PDT by vadim +! Generated Thu Apr 14 16:32:43 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported