diff --git a/src/unit_tests/ImporterTest/test_data/asa8.3-acl.test b/src/unit_tests/ImporterTest/test_data/asa8.3-acl.test new file mode 100755 index 000000000..9fa76f801 --- /dev/null +++ b/src/unit_tests/ImporterTest/test_data/asa8.3-acl.test @@ -0,0 +1,194 @@ +: Saved +: +ASA Version 8.3(2) +! +hostname asa5505 + + +interface Vlan1 + nameif inside + security-level 100 + ip address 192.168.1.1 255.255.255.0 +exit + +interface Vlan2 + nameif outside + security-level 0 + ip address dhcp setroute +exit + +interface Ethernet0/0 + description Switch port 0/0 +exit + + +no logging buffered +no logging console +no logging timestamp +no logging on + + +timeout xlate 0:0:0 +timeout conn 0:0:0 +timeout udp 0:0:0 +timeout sunrpc 0:0:0 +timeout h323 0:0:0 +timeout sip 0:0:0 +timeout sip_media 0:0:0 +timeout half-closed 0:0:0 +timeout uauth 0:0:0 + + +clear config ssh +aaa authentication ssh console LOCAL + +clear config snmp-server +no snmp-server enable traps + +clear config ntp + + +no service resetinbound +no service resetoutside +no sysopt connection timewait +no sysopt nodnsalias inbound +no sysopt nodnsalias outbound + + +class-map inspection_default + match default-inspection-traffic + +policy-map global_policy + class inspection_default + +service-policy global_policy global + + + +clear xlate +clear config nat +clear config access-list +clear config icmp +clear config telnet +clear config object-group +clear config object + + +object service http.0 + service tcp destination eq 80 +exit + +object service https.0 + service tcp destination eq 443 +exit + +object network server-1.0 + host 192.168.1.100 +exit + +object network Internal_net.0 + subnet 192.168.1.0 255.255.255.0 +exit + +object-group service id5102X14531.srv.tcp.0 tcp + port-object eq 80 + port-object eq 443 +exit + +object service ip2 + service eigrp + +object-group protocol pg1 + protocol-object 111 + protocol-object ah + protocol-object ip + protocol-object eigrp + + +!################ +! + +! remark +access-list inside_in remark 0 (global) + +! protocols, including named object and object group +! +access-list inside_in permit ah 192.168.1.0 255.255.255.0 any +access-list inside_in permit eigrp 192.168.1.0 255.255.255.0 any +access-list inside_in permit esp 192.168.1.0 255.255.255.0 any +access-list inside_in permit gre 192.168.1.0 255.255.255.0 any +access-list inside_in permit icmp 192.168.1.0 255.255.255.0 any +! access-list inside_in permit icmp6 192.168.1.0 255.255.255.0 any +access-list inside_in permit igmp 192.168.1.0 255.255.255.0 any +access-list inside_in permit igrp 192.168.1.0 255.255.255.0 any +access-list inside_in permit ip 192.168.1.0 255.255.255.0 any +access-list inside_in permit ipinip 192.168.1.0 255.255.255.0 any +access-list inside_in permit ipsec 192.168.1.0 255.255.255.0 any +access-list inside_in permit nos 192.168.1.0 255.255.255.0 any +access-list inside_in permit object ip2 192.168.1.0 255.255.255.0 any +access-list inside_in permit object-group pg1 192.168.1.0 255.255.255.0 any +access-list inside_in permit ospf 192.168.1.0 255.255.255.0 any +access-list inside_in permit pcp 192.168.1.0 255.255.255.0 any +access-list inside_in permit pim 192.168.1.0 255.255.255.0 any +access-list inside_in permit pptp 192.168.1.0 255.255.255.0 any +access-list inside_in permit snp 192.168.1.0 255.255.255.0 any +access-list inside_in permit tcp 192.168.1.0 255.255.255.0 any +access-list inside_in permit udp 192.168.1.0 255.255.255.0 any + +! named object reference in source +access-list inside_in permit ip object Internal_net.0 any +access-list inside_in remark 3 (global) + +! logging +access-list inside_in deny ip any any log 0 interval 300 + + +! more complex tests: named objects, object groups, inline address and +! port definitions in both source and destination + +access-list inside_in permit tcp object server-1.0 object-group id5102X14531.srv.tcp.0 any +access-list inside_in permit tcp object server-1.0 eq 80 any +access-list inside_in permit tcp object server-1.0 gt 1010 any +access-list inside_in permit tcp object server-1.0 lt 1024 any +access-list inside_in permit tcp object server-1.0 range 1010 1020 any +access-list inside_in permit tcp object server-1.0 neq 88 any + +access-list inside_in permit tcp 192.168.2.0 255.255.255.192 object-group id5102X14531.srv.tcp.0 any +access-list inside_in permit tcp 192.168.2.0 255.255.255.192 eq 80 any +access-list inside_in permit tcp 192.168.2.0 255.255.255.192 gt 1010 any +access-list inside_in permit tcp 192.168.2.0 255.255.255.192 lt 1024 any +access-list inside_in permit tcp 192.168.2.0 255.255.255.192 range 1010 1020 any +access-list inside_in permit tcp 192.168.2.0 255.255.255.192 neq 88 any + + +access-list inside_out permit tcp any object server-1.0 object-group id5102X14531.srv.tcp.0 +access-list inside_out permit tcp any object server-1.0 eq 80 +access-list inside_out permit tcp any object server-1.0 gt 1010 +access-list inside_out permit tcp any object server-1.0 lt 1024 +access-list inside_out permit tcp any object server-1.0 range 1010 1020 +access-list inside_out permit tcp any object server-1.0 neq 88 + +access-list inside_out permit tcp any 192.168.2.0 255.255.255.192 object-group id5102X14531.srv.tcp.0 +access-list inside_out permit tcp any 192.168.2.0 255.255.255.192 eq 80 +access-list inside_out permit tcp any 192.168.2.0 255.255.255.192 gt 1010 +access-list inside_out permit tcp any 192.168.2.0 255.255.255.192 lt 1024 +access-list inside_out permit tcp any 192.168.2.0 255.255.255.192 range 1010 1020 +access-list inside_out permit tcp any 192.168.2.0 255.255.255.192 neq 88 + + +! access-group statements + +access-group inside_in in interface inside +access-group inside_out out interface inside +access-group outside_in in interface outside +access-group outside_out out interface outside + + +! +! Rule 0 (NAT) +nat (inside,outside) source dynamic Internal_net.0 interface description "0 (NAT)" +! +! Rule 1 (NAT) +nat (outside,inside) source static any any destination static interface server-1.0 service http.0 http.0 description "1 (NAT)" +nat (outside,inside) source static any any destination static interface server-1.0 service https.0 https.0 description "1 (NAT)" +