* PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules

with service set to "http" and destination set to asa firewall object should generate different command syntax". Policy rules that have firewall object in Destination and http object in Service now generate "http" commands. This is similar to how fwbuilder generates "ssh", "telnet" and "icmp" commands to permit corresponding services to the firewall itself.
2026-03-18 17:27:20 +01:00 · 2011-04-08 18:08:56 -07:00 · 2011-04-08 18:08:56 -07:00 · 126b561e32
commit 126b561e32
parent 7d7e5e7c47
46 changed files with 271 additions and 258 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,13 @@
 2011-04-08  vadim  <vadim@netcitadel.com>

+	* PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules
+	with service set to "http" and destination set to asa firewall
+	object should generate different command syntax". Policy rules
+	that have firewall object in Destination and http object in
+	Service now generate "http" commands. This is similar to how
+	fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
+	corresponding services to the firewall itself.
+
 	* pix.g (static_starts_with_tcp_udp): more fixes for import of
 	PIX/ASA "static" command in different variations. See #2334

--- a/src/cisco_lib/PolicyCompiler_cisco.cpp
+++ b/src/cisco_lib/PolicyCompiler_cisco.cpp
@ -31,6 +31,7 @@
 #include "NamedObjectsManager.h"

 #include "fwbuilder/AddressTable.h"
+#include "fwbuilder/Cluster.h"
 #include "fwbuilder/FWObjectDatabase.h"
 #include "fwbuilder/ICMPService.h"
 #include "fwbuilder/IPService.h"
@ -493,16 +494,22 @@ bool PolicyCompiler_cisco::specialCaseWithDynInterface::processNext()
 */
 bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
 {
-    PolicyRule     *rule=getNext(); if (rule==NULL) return false;
-    PolicyCompiler_cisco *cisco_comp=dynamic_cast<PolicyCompiler_cisco*>(compiler);
-//    RuleElementSrc *src=rule->getSrc();
-//    RuleElementDst *dst=rule->getDst();
-    RuleElementSrv *srv=rule->getSrv();
-    Address  *a=compiler->getFirstDst(rule);
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
+    PolicyCompiler_cisco *cisco_comp =
+        dynamic_cast<PolicyCompiler_cisco*>(compiler);
+
+    RuleElementSrv *srv = rule->getSrv();
+    Address *a = compiler->getFirstDst(rule);
    assert(a!=NULL);

-    if (rule->getAction()==PolicyRule::Accept && 
-        compiler->complexMatch(a,cisco_comp->fw)) 
+    if (rule->getAction()==PolicyRule::Accept
+        &&
+        (
+            (Cluster::cast(a) != NULL && Cluster::cast(a)->hasMember(compiler->fw))
+            ||
+            a->getId() == compiler->fw->getId()
+        )
+    )
    {
        std::list<FWObject*> cl;
        for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1) 
@ -515,6 +522,7 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
                TCPUDPService::cast(s)->getDstRangeStart()==port && 
                TCPUDPService::cast(s)->getDstRangeEnd()==port) cl.push_back(obj);
        }
+
        if (!cl.empty()) 
        {
            PolicyRule  *r = compiler->dbcopy->createPolicyRule();
@ -527,7 +535,7 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
            RuleElementSrv *nsrv = r->getSrv();
            nsrv->clearChildren();
            nsrv->addRef( cl.front() );
-            r->setBool("ssh_telnet_cmd",true);
+            r->setBool("tcp_service_to_fw", true);
            tmp_queue.push_back(r);

            for (list<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)  
--- a/src/cisco_lib/PolicyCompiler_cisco.h
+++ b/src/cisco_lib/PolicyCompiler_cisco.h
@ -291,7 +291,7 @@ protected:
        class telnetToFirewall : public tcpServiceToFW
        {
            public:
-            telnetToFirewall(const std::string &n):tcpServiceToFW(23,n) {}
+            telnetToFirewall(const std::string &n):tcpServiceToFW(23, n) {}
        };
        friend  class telnetToFirewall;

@ -301,10 +301,20 @@ protected:
        class sshToFirewall : public tcpServiceToFW
        {
            public:
-            sshToFirewall(const std::string &n):tcpServiceToFW(22,n) {}
+            sshToFirewall(const std::string &n):tcpServiceToFW(22, n) {}
        };
        friend  class sshToFirewall;

+        /**
+         * this processor splits rules if it finds telnet to firewall
+         */
+        class httpToFirewall : public tcpServiceToFW
+        {
+            public:
+            httpToFirewall(const std::string &n):tcpServiceToFW(80, n) {}
+        };
+        friend  class httpToFirewall;
+
        /**
         * replace fw with one of its interfaces in SRC in interface
         * policy rule
--- a/src/cisco_lib/PolicyCompiler_pix.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix.cpp
@ -544,7 +544,10 @@ void PolicyCompiler_pix::compile()

    add( new telnetToFirewall(
             "separate rules controlling telnet to firewall"));
-    add( new sshToFirewall("separate rules controlling ssh to firewall" ));
+    add( new sshToFirewall(
+             "separate rules controlling ssh to firewall" ));
+    add( new httpToFirewall(
+             "separate rules controlling http to firewall"));

    add( new separateSrcPort("split rules matching source ports"));
    add( new separateCustom("split rules matching custom services"));
--- a/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp
@ -75,7 +75,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
    tmp_queue.push_back(rule);

    bool icmp_cmd = rule->getBool("icmp_cmd");
-    bool ssh_telnet_cmd = rule->getBool("ssh_telnet_cmd");
+    bool tcp_service_to_fw = rule->getBool("tcp_service_to_fw");

 //    int interface_id = rule->getInterfaceId();
    RuleElementItf *intf_re = rule->getItf();
@ -86,7 +86,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
    if (intf_re->isAny() && rule->getDirection()==PolicyRule::Both)
        return true;

-    if (intf_re->isAny() && !icmp_cmd && !ssh_telnet_cmd && (
+    if (intf_re->isAny() && !icmp_cmd && !tcp_service_to_fw && (
            rule->getDirection()==PolicyRule::Inbound ||
            rule->getDirection()==PolicyRule::Outbound)
    ) compiler->abort(rule, "Direction set without interface");
--- a/src/cisco_lib/PolicyCompiler_pix_writers.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix_writers.cpp
@ -308,8 +308,6 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule)
    RuleElementSrc *rel = rule->getSrc();
    Service *srv = compiler->getFirstSrv(rule);

-//    Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
-
    RuleElementItf *intf_re = rule->getItf();
    Interface *rule_iface = Interface::cast(
        FWObjectReference::getObject(intf_re->front()));
@ -319,54 +317,43 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule)

    for (FWObject::iterator i=rel->begin(); i!=rel->end(); ++i)
    {
-        FWObject *o = *i;
-        if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
-//        Address *a;
+        FWObject *o = FWReference::getObject(*i);

        if (dynamic_cast<PIXObjectGroup*>(o)!=NULL)
        {
            for (FWObject::iterator j=o->begin(); j!=o->end(); ++j)
            {
-                FWObject *o1 = *j;
-                if (FWReference::cast(o1)!=NULL) 
-                    o1=FWReference::cast(o1)->getPointer();
-                Address *a=Address::cast(o1);
+                Address *a = Address::cast(FWReference::getObject(*j));
                assert(a!=NULL);
-                str << _printSingleSSHTelnetCommand(
-                    port, a, rule_iface->getLabel());
+                str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel());
            }
        } else
        {
-            Address *a=Address::cast(o);
+            Address *a = Address::cast(o);
            assert(a!=NULL);
-            str << _printSingleSSHTelnetCommand(
-                port, a, rule_iface->getLabel());
+            str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel());
        }
    }

    return str.str();
 }

-string PolicyCompiler_pix::PrintRule::_printSingleSSHTelnetCommand(int port,
-                                                Address *a,
-                                                const string &interfaceLabel)
+string PolicyCompiler_pix::PrintRule::_printSingleSSHTelnetCommand(
+    int port, Address *a, const string &interfaceLabel)
 {
    string res;

-    if (port==23) 
+    if (port==22) res = "ssh ";
+    if (port==23) res = "telnet ";
+    if (port==80) res = "http ";
+
+    if (!res.empty())
    {
-        res += "telnet ";
-        res += a->getAddressPtr()->toString() + " " 
-            + a->getNetmaskPtr()->toString() + " "
-            + interfaceLabel     + "\n";
-    }
-    if (port==22) 
-    {
-        res += "ssh    ";
        res += a->getAddressPtr()->toString() + " " 
            + a->getNetmaskPtr()->toString() + " "
            + interfaceLabel     + "\n";
    }
+
    return res;
 }

@ -398,7 +385,7 @@ bool PolicyCompiler_pix::PrintRule::processNext()
 //        return true;
    } 

-    if (rule->getBool("ssh_telnet_cmd"))
+    if (rule->getBool("tcp_service_to_fw"))
    {
        compiler->output << _printSSHTelnetCommand(rule);
        return true;
--- a/test/pix/cluster1-1_pix1.fw.orig
+++ b/test/pix/cluster1-1_pix1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:25 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -147,7 +147,6 @@ object-group network id56627X61097.src.net.0
  network-object host 192.0.2.253 
 exit

-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)
@ -160,10 +159,10 @@ access-list outside_in deny   ip 10.3.14.0 255.255.255.0 any log 2 interval 300
 ! Rule  1 (global)
 ! SSH Access to firewall is permitted
 ! only from internal network
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  2 (global)
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  3 (global)
 ! Firewall uses one of the machines
--- a/test/pix/cluster1-1_pix2.fw.orig
+++ b/test/pix/cluster1-1_pix2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:25 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -147,7 +147,6 @@ object-group network id56627X61097.src.net.0
  network-object host 192.0.2.253 
 exit

-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)
@ -160,10 +159,10 @@ access-list outside_in deny   ip 10.3.14.0 255.255.255.0 any log 3 interval 300
 ! Rule  1 (global)
 ! SSH Access to firewall is permitted
 ! only from internal network
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  2 (global)
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  3 (global)
 ! Firewall uses one of the machines
--- a/test/pix/cluster1_pix1.fw.orig
+++ b/test/pix/cluster1_pix1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:24 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -147,7 +147,6 @@ object-group network id55439X897.src.net.0
  network-object host 192.0.2.253 
 exit

-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)
@ -160,10 +159,10 @@ access-list outside_in deny   ip 10.3.14.0 255.255.255.0 any log 2 interval 300
 ! Rule  1 (global)
 ! SSH Access to firewall is permitted
 ! only from internal network
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  2 (global)
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  3 (global)
 ! Firewall uses one of the machines
@ -180,32 +179,32 @@ access-list inside_out permit udp object-group id2913X78273.src.net.1 10.3.14.0
 access-list inside_out permit udp object-group id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
 ! 
 ! Rule  5 (Ethernet0.101,Ethernet0.102)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
 ! 
 ! Rule  6 (cl1 itf)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
 ! 
 ! Rule  7 (Ethernet0.101,Ethernet0.102)
 access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 
--- a/test/pix/cluster1_pix2.fw.orig
+++ b/test/pix/cluster1_pix2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:24 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -152,7 +152,6 @@ object-group network id3401X82678.dst.net.0
  network-object host 192.0.2.254 
 exit

-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)
@ -165,10 +164,10 @@ access-list outside_in deny   ip 10.3.14.0 255.255.255.0 any log 3 interval 300
 ! Rule  1 (global)
 ! SSH Access to firewall is permitted
 ! only from internal network
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  2 (global)
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  3 (global)
 ! Firewall uses one of the machines
@ -185,32 +184,32 @@ access-list inside_out permit udp object-group id2913X78273.src.net.1 10.3.14.0
 access-list inside_out permit udp object-group id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
 ! 
 ! Rule  5 (Ethernet0.101,Ethernet0.102)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
 ! 
 ! Rule  6 (cl1 itf)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
-ssh    0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
+ssh 0.0.0.0 0.0.0.0 dmz20
 ! 
 ! Rule  7 (Ethernet0.101,Ethernet0.102)
 access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 
--- a/test/pix/firewall.fw.orig
+++ b/test/pix/firewall.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:12 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:51 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -274,7 +274,6 @@ clear telnet
 clear object-group


-
 object-group network id3C4E4C38.dst.net.0
  network-object host 211.11.11.11 
  network-object host 211.22.22.22 
@ -387,7 +386,6 @@ object-group service pol-firewall2-4.srv.tcp.0 tcp
  port-object eq 7100
 exit

-
 !################

 clear access-list tmp_acl
@ -399,7 +397,7 @@ access-group tmp_acl in interface inside

 ! 
 ! Rule  -1 backup ssh access rule (automatic)
-ssh    192.168.1.100 255.255.255.255 inside
+ssh 192.168.1.100 255.255.255.255 inside
 ! 
 ! Rule  0 (global)
 ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)'  below it
@ -441,7 +439,7 @@ access-list outside_acl_in permit icmp any any 3
 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any 
 ! 
 ! Rule  4 (ethernet0)
-ssh    192.168.1.0 255.255.255.0 inside
+ssh 192.168.1.0 255.255.255.0 inside
 ! 
 ! Rule  5 (ethernet0)
 access-list inside_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0 
@ -500,12 +498,9 @@ access-list inside_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 31
 access-list dmz_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128 
 ! 
 ! Rule  15 (global)
-access-list outside_acl_in permit icmp any host 22.22.22.22 3 
-access-list inside_acl_in permit icmp any host 192.168.1.1 3 
-access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list dmz_acl_in permit tcp any host 192.168.2.1 eq 80 
+http 192.168.1.0 255.255.255.0 inside
+icmp permit 192.168.1.0 255.255.255.0 3  inside
+access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.0 host 192.168.1.1 3 
 ! 
 ! Rule  16 (global)
 access-list outside_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 
--- a/test/pix/firewall1.fw.orig
+++ b/test/pix/firewall1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:12 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:50 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
@ -69,6 +69,8 @@ no sysopt route dnat
 floodguard disable


+
+
 !################
 ! 
 ! Rule  2 (eth1)
@ -103,8 +105,8 @@ access-list dmz_acl_in permit icmp any host 192.168.2.1 11

 telnet 0.0.0.0 0.0.0.0 inside
 telnet 0.0.0.0 0.0.0.0 dmz
-ssh    0.0.0.0 0.0.0.0 inside
-ssh    0.0.0.0 0.0.0.0 dmz
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 dmz
 ! 
 ! Rule  11 (global)
 ! hostF has the same IP address as firewal.
--- a/test/pix/firewall10.fw.orig
+++ b/test/pix/firewall10.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:13 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:51 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -94,7 +94,6 @@ fixup protocol sqlnet 1521
 clear object-group


-
 object-group network id3DB0FA90.dst.net.0
  network-object host 211.11.11.11 
  network-object host 211.22.22.22 
@ -223,7 +222,6 @@ object-group service id3DB0FA12.srv.tcp.0 tcp
  port-object eq 7100
 exit

-
 !################
 ! 
 ! Rule  3 (ethernet1)
@ -305,9 +303,9 @@ access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group
 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id3DB0FA12.srv.tcp.0 
 ! 
 ! Rule  19 (global)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 inside
-ssh    0.0.0.0 0.0.0.0 dmz
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 dmz
 access-list outside_acl_in permit icmp any host 22.22.22.22 3 
 access-list inside_acl_in permit icmp any host 192.168.1.1 3 
 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
--- a/test/pix/firewall11.fw.orig
+++ b/test/pix/firewall11.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:13 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:51 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -75,6 +75,8 @@ sysopt route dnat
 floodguard enable


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall12.fw.orig
+++ b/test/pix/firewall12.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:13 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:52 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -90,14 +90,12 @@ fixup protocol icmp error
 clear object-group


-
 object-group network id3F8F95CD.dst.net.0
  network-object host 192.0.2.20 
  network-object host 192.0.2.21 
  network-object host 192.0.2.23 
 exit

-
 !################
 ! 
 ! Rule  0 (global)
@ -105,7 +103,7 @@ access-list inside_acl_in  remark 0 (global)
 access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any 
 ! 
 ! Rule  1 (global)
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  2 (global)
 icmp permit any 0  outside
--- a/test/pix/firewall13.fw.orig
+++ b/test/pix/firewall13.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:14 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:52 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -71,6 +71,8 @@ no sysopt nodnsalias outbound
 floodguard enable


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall14.fw.orig
+++ b/test/pix/firewall14.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:14 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:52 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -67,6 +67,8 @@ no sysopt nodnsalias outbound
 floodguard enable


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall2.fw.orig
+++ b/test/pix/firewall2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:14 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:53 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -73,7 +73,6 @@ clear telnet
 clear object-group


-
 object-group service id3D6EF08C.srv.tcp.0 tcp
  port-object eq 80
  port-object eq 119
@ -84,7 +83,6 @@ object-group network id3D8FCCDE.src.net.0
  network-object host 192.168.1.20 
 exit

-
 !################
 ! 
 ! Rule  0 (eth1)
--- a/test/pix/firewall20.fw.orig
+++ b/test/pix/firewall20.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:15 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:53 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -80,6 +80,8 @@ floodguard enable
 fixup protocol ftp 21


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall21-1.fw.orig
+++ b/test/pix/firewall21-1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:15 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -85,6 +85,8 @@ floodguard enable
 fixup protocol ftp 21


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall21.fw.orig
+++ b/test/pix/firewall21.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:15 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:53 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -100,6 +100,8 @@ policy-map global_policy
 service-policy global_policy global


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall22.fw.orig
+++ b/test/pix/firewall22.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -93,6 +93,8 @@ policy-map global_policy
 service-policy global_policy global


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall23.fw.orig
+++ b/test/pix/firewall23.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -70,6 +70,8 @@ clear global
 clear nat


+
+
 !################

 ! 
--- a/test/pix/firewall3.fw.orig
+++ b/test/pix/firewall3.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -78,14 +78,16 @@ clear icmp
 clear telnet


+
+
 !################
 ! 
 ! Rule  0 (eth0)
-ssh    0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 inside
 access-list inside_acl_in permit tcp any any eq 22 
 ! 
 ! Rule  1 (eth0)
-ssh    0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 inside
 ! 
 ! Rule  2 (eth0)
 icmp permit any 3  inside
@ -96,11 +98,11 @@ access-list inside_acl_in permit icmp any any 3
 access-list inside_acl_in permit icmp any host 192.168.1.1 3 
 ! 
 ! Rule  4 (eth1)
-ssh    0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
 access-list outside_acl_in permit tcp any any eq 22 
 ! 
 ! Rule  5 (eth1)
-ssh    0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 outside
 ! 
 ! Rule  6 (eth1)
 icmp permit any 3  outside
@ -125,17 +127,17 @@ access-list outside_acl_in permit icmp any host 22.22.22.22 3
 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
 ! 
 ! Rule  10 (global)
-ssh    0.0.0.0 0.0.0.0 inside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 dmz
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 dmz
 access-list inside_acl_in permit tcp any any eq 22 
 access-list outside_acl_in permit tcp any any eq 22 
 access-list dmz_acl_in permit tcp any any eq 22 
 ! 
 ! Rule  11 (global)
-ssh    0.0.0.0 0.0.0.0 inside
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 dmz
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 dmz
 ! 
 ! Rule  12 (global)
 telnet 0.0.0.0 0.0.0.0 inside
--- a/test/pix/firewall33.fw.orig
+++ b/test/pix/firewall33.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:55 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -75,7 +75,6 @@ floodguard disable
 clear object-group


-
 object-group network id43867C2418346.src.net.0
  network-object host 157.166.224.25 
  network-object host 157.166.224.26 
@ -99,7 +98,6 @@ object-group network id438728A918346.dst.net.0
  network-object host 157.166.255.19 
 exit

-
 !################
 ! 
 ! Rule  0 (eth0.100)
--- a/test/pix/firewall34.fw.orig
+++ b/test/pix/firewall34.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:17 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:55 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -64,7 +64,6 @@ floodguard disable
 clear object-group


-
 object-group network id16988X10208.dst.net.0
  network-object 192.168.1.1 255.255.255.255 
  network-object 192.168.1.2 255.255.255.255 
@ -190,7 +189,6 @@ object-group network id21263X16880.src.net.0
  network-object 10.1.4.0 255.255.255.0 
 exit

-
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall4.fw.orig
+++ b/test/pix/firewall4.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:17 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:55 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -85,7 +85,6 @@ clear telnet
 clear object-group


-
 object-group service id3D79A1C2.srv.tcp.0 tcp
  port-object eq 80
  port-object eq 22
@ -96,7 +95,6 @@ object-group network id3D79A1E4.dst.net.0
  network-object host 192.168.1.20 
 exit

-
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall50.fw.orig
+++ b/test/pix/firewall50.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:18 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:56 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -239,7 +239,6 @@ object-group service id4514304928543.srv.tcp.0 tcp
  port-object eq 7100
 exit

-
 !################

 clear config access-list tmp_acl
@ -262,7 +261,7 @@ access-list outside_acl_in permit icmp any any 3
 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
 ! 
 ! Rule  4 (ethernet0)
-ssh    192.168.1.0 255.255.255.0 inside
+ssh 192.168.1.0 255.255.255.0 inside
 ! 
 ! Rule  5 (ethernet0)
 access-list inside_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0 
@ -331,9 +330,9 @@ access-list inside_acl_in permit tcp any object-group id4514301628543.dst.net.0
 access-list dmz_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128 
 ! 
 ! Rule  17 (global)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 inside
-ssh    0.0.0.0 0.0.0.0 dmz
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 dmz
 access-list outside_acl_in permit icmp any host 22.22.22.22 3 
 access-list inside_acl_in permit icmp any host 192.168.1.1 3 
 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
--- a/test/pix/firewall6.fw.orig
+++ b/test/pix/firewall6.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:18 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:56 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -85,6 +85,8 @@ clear icmp
 clear telnet


+
+
 !################
 ! 
 ! Rule  0 (eth1)
--- a/test/pix/firewall8.fw.orig
+++ b/test/pix/firewall8.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:18 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:57 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -78,6 +78,8 @@ floodguard enable
 fixup protocol ftp 21


+
+
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall80.fw.orig
+++ b/test/pix/firewall80.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:19 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:57 2011 PDT by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported
@ -117,14 +117,13 @@ object-group icmp-type id21447X11252.srv.icmp.0
  icmp-object 8
 exit

-
 !################
 ! 
 ! Rule  0 (FastEthernet1)
-ssh    0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 inside
 ! 
 ! Rule  1 (FastEthernet1)
-ssh    0.0.0.0 0.0.0.0 inside
+access-list inside_acl_in permit tcp any host 22.22.22.22 eq 22 
 ! 
 ! Rule  2 (global)
 access-list outside_acl_in permit tcp any host 192.168.1.10 eq 22 
--- a/test/pix/firewall81.fw.orig
+++ b/test/pix/firewall81.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:19 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:57 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -105,7 +105,6 @@ object network hostA:eth0.0
  host 192.168.1.10
 exit

-
 !################
 ! 
 ! Rule  0 (global)
@ -133,8 +132,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! test rule using translated address in dst
 ! firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. 

-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
+http 0.0.0.0 0.0.0.0 inside
+http 0.0.0.0 0.0.0.0 outside
 ! 
 ! Rule  4 (global)
 ! for #1942
--- a/test/pix/firewall82.fw.orig
+++ b/test/pix/firewall82.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:58 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -105,7 +105,6 @@ object network hostA:eth0.0
  host 192.168.1.10
 exit

-
 !################
 ! 
 ! Rule  0 (global)
@ -133,8 +132,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! test rule using translated address in dst
 ! firewall82:Policy:3: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. 

-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
+http 0.0.0.0 0.0.0.0 inside
+http 0.0.0.0 0.0.0.0 outside
 ! 
 ! Rule  4 (global)
 access-list inside_acl_in deny   ip any any 
--- a/test/pix/firewall83.fw.orig
+++ b/test/pix/firewall83.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:58 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -103,7 +103,6 @@ object network hostA:eth0.0
  host 192.168.1.10
 exit

-
 !################
 ! 
 ! Rule  0 (global)
@ -125,8 +124,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! 
 ! Rule  3 (global)
 ! test rule using translated address in dst
-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
+http 0.0.0.0 0.0.0.0 inside
+http 0.0.0.0 0.0.0.0 outside
 ! 
 ! Rule  4 (global)
 access-list inside_acl_in deny   ip any any 
--- a/test/pix/firewall9.fw.orig
+++ b/test/pix/firewall9.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -94,6 +94,8 @@ fixup protocol sqlnet 1521
 fixup protocol tftp 69


+
+
 !################


--- a/test/pix/firewall90.fw.orig
+++ b/test/pix/firewall90.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -234,7 +234,6 @@ object-group network id78630X30274.src.net.0
  network-object 10.1.3.0 255.255.255.0 
 exit

-
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall91.fw.orig
+++ b/test/pix/firewall91.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:21 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -132,7 +132,6 @@ object network outside_range.0
  range 22.22.22.21 22.22.22.25
 exit

-
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall92.fw.orig
+++ b/test/pix/firewall92.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:21 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -133,7 +133,6 @@ object-group network id20655X6113.osrc.net.0
  network-object object internal_subnet_2.0
 exit

-
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/firewall93.fw.orig
+++ b/test/pix/firewall93.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:21 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:00 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -102,7 +102,6 @@ object network inside-range-1.0
  range 10.0.0.1 10.0.0.5
 exit

-
 !################

 ! 
--- a/test/pix/firewall94.fw.orig
+++ b/test/pix/firewall94.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:22 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:00 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -94,7 +94,6 @@ object-group network id26782X14355.src.net.0
  network-object object inside-range-2.0
 exit

-
 !################
 ! 
 ! Rule  0 (global)
--- a/test/pix/fwsm1.fw.orig
+++ b/test/pix/fwsm1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:22 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:01 2011 PDT by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported
@ -107,7 +107,6 @@ clear telnet
 clear object-group


-
 object-group network id444A03DE9567.dst.net.0
  network-object host 211.11.11.11 
  network-object host 211.22.22.22 
@ -220,7 +219,6 @@ object-group service id444A04819567.srv.tcp.0 tcp
  port-object eq 7100
 exit

-
 !################
 access-list mode auto

@ -244,7 +242,7 @@ access-list outside_acl_in permit icmp any any 3
 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
 ! 
 ! Rule  4 (ethernet0)
-ssh    192.168.1.0 255.255.255.0 inside
+ssh 192.168.1.0 255.255.255.0 inside
 ! 
 ! Rule  5 (ethernet0)
 access-list inside_acl_in permit tcp any object-group id444A03DE9567.dst.net.0 object-group id444A03DE9567.srv.tcp.0 
@ -303,9 +301,9 @@ access-list inside_acl_in permit tcp any object-group id444A044E9567.dst.net.0 e
 access-list dmz_acl_in permit tcp any object-group id444A044E9567.dst.net.0 eq 3128 
 ! 
 ! Rule  15 (global)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 inside
-ssh    0.0.0.0 0.0.0.0 dmz
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 dmz
 access-list outside_acl_in permit icmp any host 22.22.22.22 3 
 access-list inside_acl_in permit icmp any host 192.168.1.1 3 
 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
--- a/test/pix/fwsm2.fw.orig
+++ b/test/pix/fwsm2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:22 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:01 2011 PDT by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported
@ -120,7 +120,6 @@ clear config telnet
 clear config object-group


-
 object-group network id17298X54624.dst.net.0
  network-object host 211.11.11.11 
  network-object host 211.22.22.22 
@ -233,7 +232,6 @@ object-group service id17461X54624.srv.tcp.0 tcp
  port-object eq 7100
 exit

-
 !################
 access-list mode auto

@ -257,7 +255,7 @@ access-list outside_acl_in permit icmp any any 3
 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
 ! 
 ! Rule  4 (ethernet0)
-ssh    192.168.1.0 255.255.255.0 inside
+ssh 192.168.1.0 255.255.255.0 inside
 ! 
 ! Rule  5 (ethernet0)
 access-list inside_acl_in permit tcp any object-group id17298X54624.dst.net.0 object-group id17298X54624.srv.tcp.0 
@ -316,9 +314,9 @@ access-list inside_acl_in permit tcp any object-group id17410X54624.dst.net.0 eq
 access-list dmz_acl_in permit tcp any object-group id17410X54624.dst.net.0 eq 3128 
 ! 
 ! Rule  15 (global)
-ssh    0.0.0.0 0.0.0.0 outside
-ssh    0.0.0.0 0.0.0.0 inside
-ssh    0.0.0.0 0.0.0.0 dmz
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 dmz
 access-list outside_acl_in permit icmp any host 22.22.22.22 3 
 access-list inside_acl_in permit icmp any host 192.168.1.1 3 
 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
--- a/test/pix/objects-for-regression-tests.fwb
+++ b/test/pix/objects-for-regression-tests.fwb
@ -1414,7 +1414,7 @@
      <ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
    </ServiceGroup>
    <ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
-      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1295222056" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
+      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1302311125" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
        <NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="nat-firewall2-0" disabled="False" group="" position="0" action="Translate" comment="">
            <OSrc neg="False">
@ -2077,7 +2077,7 @@
          </PolicyRule>
          <PolicyRule id="id3D50CD96" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
            <Src neg="False">
-              <ObjectRef ref="sysid0"/>
+              <ObjectRef ref="net-Internal_net"/>
            </Src>
            <Dst neg="False">
              <ObjectRef ref="fw-firewall2"/>
@ -18124,14 +18124,14 @@ no sysopt nodnsalias outbound
        </Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295466889" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
+      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1302310919" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
        <NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="id70310X19497" disabled="False" group="" position="0" action="Translate" comment="">
            <OSrc neg="False">
              <ObjectRef ref="sysid0"/>
            </OSrc>
            <ODst neg="False">
-              <ObjectRef ref="id86637X27607"/>
+              <ObjectRef ref="id21478X13826"/>
            </ODst>
            <OSrv neg="False">
              <ServiceRef ref="id21571X21575"/>
--- a/test/pix/pix515.fw.orig
+++ b/test/pix/pix515.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:23 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:02 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -94,6 +94,8 @@ clear config icmp
 clear config telnet


+
+
 !################

 clear config access-list tmp_acl
@ -105,10 +107,10 @@ access-group tmp_acl in interface inside

 ! 
 ! Rule  -1 backup ssh access rule (automatic)
-ssh    10.3.14.42 255.255.255.255 inside
+ssh 10.3.14.42 255.255.255.255 inside
 ! 
 ! Rule  0 (global)
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 access-list inside_acl_in  remark 0 (global)
 access-list inside_acl_in permit tcp 10.3.14.0 255.255.255.0 host 10.3.14.206 eq 53 
 access-list inside_acl_in permit udp 10.3.14.0 255.255.255.0 host 10.3.14.206 eq 53 
--- a/test/pix/real.fw.orig
+++ b/test/pix/real.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:23 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:02 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -95,6 +95,8 @@ clear icmp
 clear telnet


+
+
 !################
 ! 
 ! Rule  0 (global)
@ -102,7 +104,7 @@ access-list inside_acl_in  remark 0 (global)
 access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any 
 ! 
 ! Rule  1 (global)
-ssh    10.3.14.0 255.255.255.0 inside
+ssh 10.3.14.0 255.255.255.0 inside
 ! 
 ! Rule  2 (global)
 icmp permit any 0  outside
--- a/test/pix/test_net_zone_2.fw.orig
+++ b/test/pix/test_net_zone_2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 11:00:37 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
@ -62,6 +62,8 @@ no sysopt route dnat
 floodguard disable


+
+
 !################
 ! 
 ! Rule  0 (global)