diff --git a/doc/ChangeLog b/doc/ChangeLog
index 49d35116f..57494dd82 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,8 @@
+2011-03-30  vadim  <vadim@netcitadel.com>
+
+	* PIXImporterNat.cpp (buildDNATRule): import of PIX/ASA "static"
+	commands works for the most part. Needs more testing.
+
 2011-03-28  vadim  <vadim@netcitadel.com>
 
 	* ObjectManipulator.cpp (getDeleteMenuState): see #2226 fixed GUI
diff --git a/src/import/Importer.cpp b/src/import/Importer.cpp
index 7398a65cf..c575ef1d6 100644
--- a/src/import/Importer.cpp
+++ b/src/import/Importer.cpp
@@ -490,6 +490,8 @@ void Importer::setDefaultAction(const std::string &iptables_action_name)
 
 void Importer::newPolicyRule()
 {
+    if (fwbdebug) qDebug() << "Importer::newPolicyRule()";
+
     FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
     FWObject *nobj = dbroot->create(PolicyRule::TYPENAME);
     current_rule = Rule::cast(nobj);
@@ -502,9 +504,13 @@ void Importer::newPolicyRule()
 
 void Importer::newNATRule()
 {
+    if (fwbdebug) qDebug() << "Importer::newNATRule()";
+
     FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
     FWObject *nobj = dbroot->create(NATRule::TYPENAME);
     current_rule = Rule::cast(nobj);
+
+    if (fwbdebug) qDebug() << "current_rule=" << current_rule;
 }
 
 void Importer::pushRule()
@@ -533,6 +539,8 @@ void Importer::pushRule()
         ropt->setBool("stateless", true);
     }
 
+    rule->setDirection(PolicyRule::Both);
+
     addSrc();
     addDst();
     addSrv();
diff --git a/src/import/PIXImporter.cpp b/src/import/PIXImporter.cpp
index ea4df2d0a..6caed3bdc 100644
--- a/src/import/PIXImporter.cpp
+++ b/src/import/PIXImporter.cpp
@@ -132,19 +132,27 @@ void PIXImporter::clearTempVars()
     Importer::clear();
 }
 
+Interface* PIXImporter::getInterfaceByLabel(const string &label)
+{
+    map<const string,Interface*>::iterator it;
+    for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it)
+    {
+        Interface *intf = it->second;
+        if (intf->getLabel() == label)
+        {
+            return intf;
+        }
+    }
+    return NULL;
+}
+    
+
 FWObject* PIXImporter::makeSrcObj()
 {
     if (src_nm == "interface")
     {
-        map<const string,Interface*>::iterator it;
-        for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it)
-        {
-            Interface *intf = it->second;
-            if (intf->getLabel() == src_a)
-            {
-                return intf;
-            }
-        }
+        Interface *intf = getInterfaceByLabel(src_a);
+        if (intf) return intf;
         throw ImporterException(
             QString("Cannot find interface with label '%1'").arg(src_a.c_str()));
     }
@@ -160,15 +168,8 @@ FWObject* PIXImporter::makeDstObj()
 {
     if (dst_nm == "interface")
     {
-        map<const string,Interface*>::iterator it;
-        for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it)
-        {
-            Interface *intf = it->second;
-            if (intf->getLabel() == dst_a)
-            {
-                return intf;
-            }
-        }
+        Interface *intf = getInterfaceByLabel(dst_a);
+        if (intf) return intf;
         throw ImporterException(
             QString("Cannot find interface with label '%1'").arg(dst_a.c_str()));
     }
@@ -378,6 +379,9 @@ Firewall* PIXImporter::finalize()
         FWObject *policy = getFirewallObject()->getFirstByType(Policy::TYPENAME);
         assert( policy!=NULL );
 
+        FWObject *nat = getFirewallObject()->getFirstByType(NAT::TYPENAME);
+        assert( nat!=NULL );
+
         if (all_rulesets.size()!=0)
         {
             if (fwbdebug)
@@ -400,7 +404,10 @@ Firewall* PIXImporter::finalize()
             list<string>::iterator it;
             for (it=ruleset_names.begin(); it!=ruleset_names.end(); ++it)
             {
-                UnidirectionalRuleSet *irs = all_rulesets[*it];
+                string ruleset_name = *it;
+                if (ruleset_name == "nat") continue;
+
+                UnidirectionalRuleSet *irs = all_rulesets[ruleset_name];
 
                 if (fwbdebug)
                 {
@@ -531,6 +538,23 @@ Firewall* PIXImporter::finalize()
             rs->renumberRules();
         }
 
+        // Deal with NAT ruleset
+        UnidirectionalRuleSet *nat_rs = all_rulesets["nat"];
+        if (nat_rs)
+        {
+            while (nat_rs->ruleset->size() > 0)
+            {
+                FWObject *r = nat_rs->ruleset->front();
+                nat->reparent(r);
+            }
+
+            NAT::cast(nat)->renumberRules();
+
+            nat_rs->ruleset->clearChildren(false);
+            getFirewallObject()->remove(nat_rs->ruleset, false);
+            delete nat_rs->ruleset;
+        }
+
         return fw;
     }
     else
diff --git a/src/import/PIXImporter.h b/src/import/PIXImporter.h
index 1be1ec657..b681411df 100644
--- a/src/import/PIXImporter.h
+++ b/src/import/PIXImporter.h
@@ -93,6 +93,9 @@ class PIXImporter : public IOSImporter
 
     void pushPolicyRule();
     void pushNATRule();
+    void buildDNATRule();
+    void buildSNATRule();
+
     virtual void pushRule();
     
     // this method actually adds interfaces to the firewall object
@@ -155,7 +158,8 @@ class PIXImporter : public IOSImporter
     void addTCPUDPServiceToObjectGroup();
     void addICMPServiceToObjectGroup();
     
-        
+    libfwbuilder::Interface* getInterfaceByLabel(const std::string &label);
+            
     void rearrangeVlanInterfaces();
 };
 
diff --git a/src/import/PIXImporterNat.cpp b/src/import/PIXImporterNat.cpp
index cf5e9aefd..82294f673 100644
--- a/src/import/PIXImporterNat.cpp
+++ b/src/import/PIXImporterNat.cpp
@@ -43,7 +43,7 @@
 #include "fwbuilder/ICMPService.h"
 #include "fwbuilder/TCPService.h"
 #include "fwbuilder/UDPService.h"
-#include "fwbuilder/Policy.h"
+#include "fwbuilder/NAT.h"
 #include "fwbuilder/RuleElement.h"
 #include "fwbuilder/Library.h"
 
@@ -54,9 +54,173 @@
 
 extern int fwbdebug;
 
+using namespace libfwbuilder;
+using namespace std;
 
+/*
+
+  Variables used to build nat rules
+
+  libfwbuilder::NATRule::NATRuleTypes rule_type;
+  std::string prenat_interface;
+  std::string postnat_interface;
+
+  std::string real_a;
+  std::string real_nm;
+  std::string mapped_a;
+  std::string mapped_nm;
+  std::string real_addr_acl;
+  std::string mapped_port_spec;
+  std::string real_port_spec;
+  std::string static_max_conn;
+  std::string static_max_emb_conn;
+
+  std::string nat_num;
+  std::string nat_a;
+  std::string nat_nm;
+  std::string nat_acl;
+
+  std::string global_pool_num;
+  std::string global_interface;
+*/
 
 void PIXImporter::pushNATRule()
+{
+    assert(current_ruleset!=NULL);
+    assert(current_rule!=NULL);
+
+    NATRule *rule = NATRule::cast(current_rule);
+
+    switch (rule_type)
+    {
+    case NATRule::DNAT:
+        buildDNATRule();
+        break;
+
+    case NATRule::SNAT:
+        buildSNATRule();
+        break;
+
+    default:
+        assert(rule_type!=NATRule::DNAT && rule_type!=NATRule::SNAT);
+    }
+
+    // then add it to the current ruleset
+    current_ruleset->ruleset->add(current_rule);
+
+    addStandardImportComment(current_rule, QString::fromUtf8(rule_comment.c_str()));
+
+    current_rule = NULL;
+    rule_comment = "";
+
+    clear();
+}
+
+/*
+ * DNAT rule.
+ *
+ * Using real_a, real_nm, mapped_a, mapped_nm, real_addr_acl,
+ * real_port_spec, mapped_port_spec, prenat_interface,
+ * postnat_interface
+ */
+void PIXImporter::buildDNATRule()
+{
+    NATRule *rule = NATRule::cast(current_rule);
+
+    Interface *pre_intf = getInterfaceByLabel(prenat_interface);
+    Interface *post_intf = getInterfaceByLabel(postnat_interface);
+
+    rule->setAction(NATRule::Translate);
+
+    if (real_nm.empty()) real_nm = InetAddr::getAllOnes().toString();
+    if (mapped_nm.empty()) mapped_nm = InetAddr::getAllOnes().toString();
+
+    if ( ! mapped_a.empty())
+    {
+        if (mapped_a == "interface")
+        {
+            RuleElementODst* odst = rule->getODst();
+            assert(odst!=NULL);
+            odst->addRef(post_intf);
+        } else
+        {
+            dst_a = mapped_a;
+            dst_nm = mapped_nm;
+            addODst();
+        }
+    }
+
+    if ( ! real_a.empty())
+    {
+        dst_a = real_a;
+        dst_nm = real_nm;
+
+        RuleElement* tdst = rule->getTDst();
+        assert(tdst!=NULL);
+        FWObject *s = makeDstObj();
+        if (s) tdst->addRef( s );
+    }
+
+    if ( ! real_addr_acl.empty())
+    {
+        UnidirectionalRuleSet *rs = all_rulesets[real_addr_acl];
+        if (rs)
+        {
+            RuleElement* tdst = rule->getTDst();
+            assert(tdst!=NULL);
+
+            PolicyRule *policy_rule = PolicyRule::cast(
+                rs->ruleset->getFirstByType(PolicyRule::TYPENAME));
+            
+            if (policy_rule)
+            {
+                RuleElement *src = policy_rule->getSrc();
+                for (FWObject::iterator it=src->begin(); it!=src->end(); ++it)
+                {
+                    FWObject *o = FWReference::getObject(*it);
+                    tdst->addRef(o);
+                }
+            }
+        }
+    }
+
+    if ( ! mapped_port_spec.empty())
+    {
+        src_port_spec = "";
+        dst_port_op = "eq";
+        dst_port_spec = mapped_port_spec;
+
+        RuleElement* osrv = rule->getOSrv();
+        assert(osrv!=NULL);
+        FWObject *s = Importer::makeSrvObj();
+
+        if (s) osrv->addRef( s );
+    }
+
+    if ( ! real_port_spec.empty())
+    {
+        src_port_spec = "";
+        dst_port_op = "eq";
+        dst_port_spec = real_port_spec;
+
+        RuleElement* tsrv = rule->getTSrv();
+        assert(tsrv!=NULL);
+        FWObject *s = Importer::makeSrvObj();
+
+        if (s) tsrv->addRef( s );
+    }
+
+    RuleElement *itf_i_re = rule->getItfInb();
+    assert(itf_i_re!=NULL);
+    itf_i_re->addRef(post_intf);
+
+    RuleElement *itf_o_re = rule->getItfOutb();
+    assert(itf_o_re!=NULL);
+    itf_o_re->addRef(pre_intf);
+}
+
+void PIXImporter::buildSNATRule()
 {
 
 }
+
diff --git a/src/parsers/PIXCfgLexer.cpp b/src/parsers/PIXCfgLexer.cpp
index b03ca6057..b2a90c411 100644
--- a/src/parsers/PIXCfgLexer.cpp
+++ b/src/parsers/PIXCfgLexer.cpp
@@ -44,137 +44,141 @@ PIXCfgLexer::PIXCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState&
 
 void PIXCfgLexer::initLiterals()
 {
-	literals["full"] = 119;
-	literals["parameter-problem"] = 85;
+	literals["full"] = 120;
+	literals["parameter-problem"] = 86;
 	literals["port-object"] = 53;
-	literals["notifications"] = 105;
-	literals["duplex"] = 125;
-	literals["no"] = 55;
-	literals["static"] = 147;
+	literals["notifications"] = 106;
+	literals["duplex"] = 126;
+	literals["dns"] = 55;
+	literals["no"] = 56;
+	literals["static"] = 148;
 	literals["esp"] = 16;
-	literals["time-range"] = 111;
+	literals["time-range"] = 112;
 	literals["gre"] = 17;
-	literals["timestamp-request"] = 92;
-	literals["echo"] = 72;
-	literals["speed"] = 124;
-	literals["warnings"] = 106;
+	literals["timestamp-request"] = 93;
+	literals["echo"] = 73;
+	literals["speed"] = 125;
+	literals["warnings"] = 107;
 	literals["timeout"] = 8;
 	literals["eigrp"] = 15;
 	literals["icmp-type"] = 50;
-	literals["permit"] = 65;
-	literals["remark"] = 141;
+	literals["permit"] = 66;
+	literals["remark"] = 143;
 	literals["network"] = 29;
 	literals["igmp"] = 18;
 	literals["range"] = 34;
 	literals["destination"] = 43;
-	literals["setroute"] = 152;
-	literals["vlan"] = 123;
-	literals["debugging"] = 101;
-	literals["controller"] = 112;
-	literals["interface"] = 95;
-	literals["dhcp"] = 137;
-	literals["aui"] = 116;
-	literals["Version"] = 59;
-	literals["auto"] = 117;
+	literals["setroute"] = 153;
+	literals["vlan"] = 124;
+	literals["debugging"] = 102;
+	literals["controller"] = 113;
+	literals["interface"] = 96;
+	literals["dhcp"] = 138;
+	literals["aui"] = 117;
+	literals["Version"] = 60;
+	literals["auto"] = 118;
 	literals["subnet"] = 35;
-	literals["time-exceeded"] = 90;
-	literals["outside"] = 113;
-	literals["shutdown"] = 135;
+	literals["time-exceeded"] = 91;
+	literals["outside"] = 114;
+	literals["shutdown"] = 136;
 	literals["group-object"] = 45;
-	literals["eq"] = 68;
-	literals["fragments"] = 110;
-	literals["unreachable"] = 94;
-	literals["delay"] = 128;
+	literals["eq"] = 69;
+	literals["fragments"] = 111;
+	literals["unreachable"] = 95;
+	literals["norandomseq"] = 150;
+	literals["delay"] = 129;
 	literals["ip"] = 6;
-	literals["security-level"] = 134;
-	literals["mobile-redirect"] = 84;
+	literals["security-level"] = 135;
+	literals["mobile-redirect"] = 85;
 	literals["ospf"] = 23;
 	literals["name"] = 10;
-	literals["errors"] = 103;
-	literals["mask-request"] = 83;
-	literals["PIX"] = 57;
-	literals["any"] = 96;
-	literals["ASA"] = 58;
+	literals["errors"] = 104;
+	literals["mask-request"] = 84;
+	literals["PIX"] = 58;
+	literals["any"] = 97;
+	literals["ASA"] = 59;
 	literals["pptp"] = 26;
-	literals["redirect"] = 86;
-	literals["forward"] = 127;
+	literals["redirect"] = 87;
+	literals["forward"] = 128;
 	literals["description"] = 32;
-	literals["timestamp-reply"] = 91;
-	literals["alerts"] = 99;
-	literals["lt"] = 70;
-	literals["bnc"] = 118;
-	literals["global"] = 146;
+	literals["timestamp-reply"] = 92;
+	literals["alerts"] = 100;
+	literals["netmask"] = 151;
+	literals["lt"] = 71;
+	literals["bnc"] = 119;
+	literals["global"] = 147;
 	literals["nos"] = 22;
-	literals["extended"] = 64;
-	literals["certificate"] = 56;
+	literals["extended"] = 65;
+	literals["certificate"] = 57;
 	literals["service"] = 36;
-	literals["telnet"] = 75;
+	literals["telnet"] = 76;
 	literals["udp"] = 41;
-	literals["hold-time"] = 129;
-	literals["baseT"] = 120;
+	literals["hold-time"] = 130;
+	literals["baseT"] = 121;
 	literals["ipinip"] = 20;
-	literals["standby"] = 138;
+	literals["standby"] = 139;
 	literals["crypto"] = 54;
 	literals["pim"] = 25;
-	literals["secondary"] = 151;
-	literals["emergencies"] = 102;
-	literals["disable"] = 107;
-	literals["mask-reply"] = 82;
+	literals["secondary"] = 152;
+	literals["emergencies"] = 103;
+	literals["disable"] = 108;
+	literals["mask-reply"] = 83;
 	literals["tcp"] = 40;
 	literals["tcp-udp"] = 51;
 	literals["source"] = 42;
 	literals["names"] = 9;
 	literals["icmp"] = 37;
-	literals["log"] = 97;
+	literals["log"] = 98;
 	literals["snp"] = 27;
-	literals["mac-address"] = 131;
-	literals["established"] = 76;
-	literals["deny"] = 66;
-	literals["information-request"] = 81;
-	literals["ssh"] = 74;
+	literals["mac-address"] = 132;
+	literals["established"] = 77;
+	literals["deny"] = 67;
+	literals["information-request"] = 82;
+	literals["ssh"] = 75;
 	literals["protocol-object"] = 48;
-	literals["gt"] = 69;
+	literals["gt"] = 70;
 	literals["ah"] = 14;
-	literals["interval"] = 109;
-	literals["ddns"] = 126;
-	literals["ipv6"] = 130;
-	literals["rip"] = 73;
-	literals["baseTX"] = 121;
-	literals["access-group"] = 142;
-	literals["critical"] = 100;
-	literals["standard"] = 67;
+	literals["interval"] = 110;
+	literals["ddns"] = 127;
+	literals["ipv6"] = 131;
+	literals["rip"] = 74;
+	literals["baseTX"] = 122;
+	literals["access-group"] = 144;
+	literals["critical"] = 101;
+	literals["standard"] = 68;
 	literals["quit"] = 5;
 	literals["community-list"] = 7;
 	literals["network-object"] = 46;
-	literals["hostname"] = 61;
-	literals["information-reply"] = 80;
+	literals["hostname"] = 62;
+	literals["information-reply"] = 81;
 	literals["icmp6"] = 39;
-	literals["switchport"] = 139;
+	literals["switchport"] = 140;
 	literals["ipsec"] = 21;
-	literals["conversion-error"] = 78;
+	literals["conversion-error"] = 79;
 	literals["host"] = 33;
-	literals["echo-reply"] = 79;
-	literals["nameif"] = 122;
+	literals["echo-reply"] = 80;
+	literals["nameif"] = 123;
 	literals["pcp"] = 24;
 	literals["service-object"] = 52;
 	literals["nat"] = 30;
-	literals["access-list"] = 63;
-	literals["informational"] = 104;
+	literals["access-list"] = 64;
+	literals["informational"] = 105;
 	literals["igrp"] = 19;
-	literals["traceroute"] = 93;
-	literals["address"] = 136;
-	literals["log-input"] = 98;
-	literals["router-advertisement"] = 87;
-	literals["router-solicitation"] = 88;
-	literals["access"] = 140;
+	literals["traceroute"] = 94;
+	literals["address"] = 137;
+	literals["log-input"] = 99;
+	literals["router-advertisement"] = 88;
+	literals["router-solicitation"] = 89;
+	literals["access"] = 141;
 	literals["icmp-object"] = 49;
-	literals["source-quench"] = 89;
+	literals["source-quench"] = 90;
+	literals["scopy"] = 142;
 	literals["protocol"] = 47;
-	literals["inactive"] = 108;
-	literals["multicast"] = 132;
-	literals["exit"] = 115;
-	literals["neq"] = 71;
-	literals["alternate-address"] = 77;
+	literals["inactive"] = 109;
+	literals["multicast"] = 133;
+	literals["exit"] = 116;
+	literals["neq"] = 72;
+	literals["alternate-address"] = 78;
 }
 
 ANTLR_USE_NAMESPACE(antlr)RefToken PIXCfgLexer::nextToken()
@@ -488,11 +492,11 @@ void PIXCfgLexer::mLINE_COMMENT(bool _createToken) {
 			}
 		}
 		else {
-			goto _loop263;
+			goto _loop268;
 		}
 		
 	}
-	_loop263:;
+	_loop268:;
 	} // ( ... )*
 	mNEWLINE(false);
 	if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@@ -524,9 +528,9 @@ void PIXCfgLexer::mNEWLINE(bool _createToken) {
 	
 	}
 	if ( inputState->guessing==0 ) {
-#line 2228 "pix.g"
+#line 2266 "pix.g"
 		newline();
-#line 530 "PIXCfgLexer.cpp"
+#line 534 "PIXCfgLexer.cpp"
 	}
 	if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
 	   _token = makeToken(_ttype);
@@ -550,11 +554,11 @@ void PIXCfgLexer::mCOLON_COMMENT(bool _createToken) {
 			}
 		}
 		else {
-			goto _loop267;
+			goto _loop272;
 		}
 		
 	}
-	_loop267:;
+	_loop272:;
 	} // ( ... )*
 	mNEWLINE(false);
 	if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@@ -648,9 +652,9 @@ void PIXCfgLexer::mWhitespace(bool _createToken) {
 	}
 	}
 	if ( inputState->guessing==0 ) {
-#line 2223 "pix.g"
+#line 2261 "pix.g"
 		_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
-#line 654 "PIXCfgLexer.cpp"
+#line 658 "PIXCfgLexer.cpp"
 	}
 	if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
 	   _token = makeToken(_ttype);
@@ -772,10 +776,10 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 	ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
 	
 	{
-	bool synPredMatched328 = false;
+	bool synPredMatched333 = false;
 	if (((LA(1) == 0x6f /* 'o' */ ) && (LA(2) == 0x62 /* 'b' */ ) && (LA(3) == 0x6a /* 'j' */ ))) {
-		int _m328 = mark();
-		synPredMatched328 = true;
+		int _m333 = mark();
+		synPredMatched333 = true;
 		inputState->guessing++;
 		try {
 			{
@@ -784,12 +788,12 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 			}
 		}
 		catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
-			synPredMatched328 = false;
+			synPredMatched333 = false;
 		}
-		rewind(_m328);
+		rewind(_m333);
 		inputState->guessing--;
 	}
-	if ( synPredMatched328 ) {
+	if ( synPredMatched333 ) {
 		{
 		match("object");
 		{
@@ -799,17 +803,17 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 			match("oup");
 			}
 			if ( inputState->guessing==0 ) {
-#line 2280 "pix.g"
+#line 2318 "pix.g"
 				_ttype = OBJECT_GROUP;
-#line 805 "PIXCfgLexer.cpp"
+#line 809 "PIXCfgLexer.cpp"
 			}
 		}
 		else {
 			match("");
 			if ( inputState->guessing==0 ) {
-#line 2282 "pix.g"
+#line 2320 "pix.g"
 				_ttype = OBJECT;
-#line 813 "PIXCfgLexer.cpp"
+#line 817 "PIXCfgLexer.cpp"
 			}
 		}
 		
@@ -817,15 +821,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 		}
 	}
 	else {
-		bool synPredMatched318 = false;
+		bool synPredMatched323 = false;
 		if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (true))) {
-			int _m318 = mark();
-			synPredMatched318 = true;
+			int _m323 = mark();
+			synPredMatched323 = true;
 			inputState->guessing++;
 			try {
 				{
 				{ // ( ... )+
-				int _cnt317=0;
+				int _cnt322=0;
 				for (;;) {
 					switch ( LA(1)) {
 					case 0x61 /* 'a' */ :
@@ -854,27 +858,27 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 					}
 					default:
 					{
-						if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+						if ( _cnt322>=1 ) { goto _loop322; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 					}
 					}
-					_cnt317++;
+					_cnt322++;
 				}
-				_loop317:;
+				_loop322:;
 				}  // ( ... )+
 				mCOLON(false);
 				}
 			}
 			catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
-				synPredMatched318 = false;
+				synPredMatched323 = false;
 			}
-			rewind(_m318);
+			rewind(_m323);
 			inputState->guessing--;
 		}
-		if ( synPredMatched318 ) {
+		if ( synPredMatched323 ) {
 			{
 			{
 			{ // ( ... )+
-			int _cnt322=0;
+			int _cnt327=0;
 			for (;;) {
 				switch ( LA(1)) {
 				case 0x61 /* 'a' */ :
@@ -903,15 +907,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 				}
 				default:
 				{
-					if ( _cnt322>=1 ) { goto _loop322; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+					if ( _cnt327>=1 ) { goto _loop327; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 				}
 				}
-				_cnt322++;
+				_cnt327++;
 			}
-			_loop322:;
+			_loop327:;
 			}  // ( ... )+
 			{ // ( ... )+
-			int _cnt326=0;
+			int _cnt331=0;
 			for (;;) {
 				if ((LA(1) == 0x3a /* ':' */ )) {
 					mCOLON(false);
@@ -944,34 +948,34 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 						}
 						default:
 						{
-							goto _loop325;
+							goto _loop330;
 						}
 						}
 					}
-					_loop325:;
+					_loop330:;
 					} // ( ... )*
 				}
 				else {
-					if ( _cnt326>=1 ) { goto _loop326; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+					if ( _cnt331>=1 ) { goto _loop331; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 				}
 				
-				_cnt326++;
+				_cnt331++;
 			}
-			_loop326:;
+			_loop331:;
 			}  // ( ... )+
 			}
 			if ( inputState->guessing==0 ) {
-#line 2273 "pix.g"
+#line 2311 "pix.g"
 				_ttype = IPV6;
-#line 967 "PIXCfgLexer.cpp"
+#line 971 "PIXCfgLexer.cpp"
 			}
 			}
 		}
 		else {
-			bool synPredMatched283 = false;
+			bool synPredMatched288 = false;
 			if ((((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ )) && (true) && (true))) {
-				int _m283 = mark();
-				synPredMatched283 = true;
+				int _m288 = mark();
+				synPredMatched288 = true;
 				inputState->guessing++;
 				try {
 					{
@@ -979,242 +983,242 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 					}
 				}
 				catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
-					synPredMatched283 = false;
+					synPredMatched288 = false;
 				}
-				rewind(_m283);
+				rewind(_m288);
 				inputState->guessing--;
 			}
-			if ( synPredMatched283 ) {
+			if ( synPredMatched288 ) {
 				{
-				bool synPredMatched292 = false;
+				bool synPredMatched297 = false;
 				if ((((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
-					int _m292 = mark();
-					synPredMatched292 = true;
+					int _m297 = mark();
+					synPredMatched297 = true;
 					inputState->guessing++;
 					try {
 						{
 						{ // ( ... )+
-						int _cnt287=0;
+						int _cnt292=0;
 						for (;;) {
 							if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 								mDIGIT(false);
 							}
 							else {
-								if ( _cnt287>=1 ) { goto _loop287; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+								if ( _cnt292>=1 ) { goto _loop292; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 							}
 							
-							_cnt287++;
+							_cnt292++;
 						}
-						_loop287:;
+						_loop292:;
 						}  // ( ... )+
 						mDOT(false);
 						{ // ( ... )+
-						int _cnt289=0;
+						int _cnt294=0;
 						for (;;) {
 							if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 								mDIGIT(false);
 							}
 							else {
-								if ( _cnt289>=1 ) { goto _loop289; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+								if ( _cnt294>=1 ) { goto _loop294; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 							}
 							
-							_cnt289++;
+							_cnt294++;
 						}
-						_loop289:;
+						_loop294:;
 						}  // ( ... )+
 						mDOT(false);
 						{ // ( ... )+
-						int _cnt291=0;
+						int _cnt296=0;
 						for (;;) {
 							if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 								mDIGIT(false);
 							}
 							else {
-								if ( _cnt291>=1 ) { goto _loop291; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+								if ( _cnt296>=1 ) { goto _loop296; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 							}
 							
-							_cnt291++;
+							_cnt296++;
 						}
-						_loop291:;
+						_loop296:;
 						}  // ( ... )+
 						}
 					}
 					catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
-						synPredMatched292 = false;
+						synPredMatched297 = false;
 					}
-					rewind(_m292);
+					rewind(_m297);
 					inputState->guessing--;
 				}
-				if ( synPredMatched292 ) {
+				if ( synPredMatched297 ) {
 					{
 					{ // ( ... )+
-					int _cnt295=0;
+					int _cnt300=0;
 					for (;;) {
 						if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 							mDIGIT(false);
 						}
 						else {
-							if ( _cnt295>=1 ) { goto _loop295; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+							if ( _cnt300>=1 ) { goto _loop300; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 						}
 						
-						_cnt295++;
+						_cnt300++;
 					}
-					_loop295:;
+					_loop300:;
 					}  // ( ... )+
 					mDOT(false);
 					{ // ( ... )+
-					int _cnt297=0;
+					int _cnt302=0;
 					for (;;) {
 						if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 							mDIGIT(false);
 						}
 						else {
-							if ( _cnt297>=1 ) { goto _loop297; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+							if ( _cnt302>=1 ) { goto _loop302; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 						}
 						
-						_cnt297++;
+						_cnt302++;
 					}
-					_loop297:;
+					_loop302:;
 					}  // ( ... )+
 					mDOT(false);
 					{ // ( ... )+
-					int _cnt299=0;
+					int _cnt304=0;
 					for (;;) {
 						if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 							mDIGIT(false);
 						}
 						else {
-							if ( _cnt299>=1 ) { goto _loop299; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+							if ( _cnt304>=1 ) { goto _loop304; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 						}
 						
-						_cnt299++;
+						_cnt304++;
 					}
-					_loop299:;
+					_loop304:;
 					}  // ( ... )+
 					mDOT(false);
 					{ // ( ... )+
-					int _cnt301=0;
+					int _cnt306=0;
 					for (;;) {
 						if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 							mDIGIT(false);
 						}
 						else {
-							if ( _cnt301>=1 ) { goto _loop301; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+							if ( _cnt306>=1 ) { goto _loop306; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 						}
 						
-						_cnt301++;
+						_cnt306++;
 					}
-					_loop301:;
+					_loop306:;
 					}  // ( ... )+
 					}
 					if ( inputState->guessing==0 ) {
-#line 2261 "pix.g"
+#line 2299 "pix.g"
 						_ttype = IPV4;
-#line 1114 "PIXCfgLexer.cpp"
+#line 1118 "PIXCfgLexer.cpp"
 					}
 				}
 				else {
-					bool synPredMatched307 = false;
+					bool synPredMatched312 = false;
 					if ((((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
-						int _m307 = mark();
-						synPredMatched307 = true;
+						int _m312 = mark();
+						synPredMatched312 = true;
 						inputState->guessing++;
 						try {
 							{
 							{ // ( ... )+
-							int _cnt304=0;
+							int _cnt309=0;
 							for (;;) {
 								if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 									mDIGIT(false);
 								}
 								else {
-									if ( _cnt304>=1 ) { goto _loop304; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+									if ( _cnt309>=1 ) { goto _loop309; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 								}
 								
-								_cnt304++;
+								_cnt309++;
 							}
-							_loop304:;
+							_loop309:;
 							}  // ( ... )+
 							mDOT(false);
 							{ // ( ... )+
-							int _cnt306=0;
+							int _cnt311=0;
 							for (;;) {
 								if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 									mDIGIT(false);
 								}
 								else {
-									if ( _cnt306>=1 ) { goto _loop306; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+									if ( _cnt311>=1 ) { goto _loop311; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 								}
 								
-								_cnt306++;
+								_cnt311++;
 							}
-							_loop306:;
+							_loop311:;
 							}  // ( ... )+
 							}
 						}
 						catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
-							synPredMatched307 = false;
+							synPredMatched312 = false;
 						}
-						rewind(_m307);
+						rewind(_m312);
 						inputState->guessing--;
 					}
-					if ( synPredMatched307 ) {
+					if ( synPredMatched312 ) {
 						{
 						{ // ( ... )+
-						int _cnt310=0;
+						int _cnt315=0;
 						for (;;) {
 							if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 								mDIGIT(false);
 							}
 							else {
-								if ( _cnt310>=1 ) { goto _loop310; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+								if ( _cnt315>=1 ) { goto _loop315; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 							}
 							
-							_cnt310++;
+							_cnt315++;
 						}
-						_loop310:;
+						_loop315:;
 						}  // ( ... )+
 						mDOT(false);
 						{ // ( ... )+
-						int _cnt312=0;
+						int _cnt317=0;
 						for (;;) {
 							if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 								mDIGIT(false);
 							}
 							else {
-								if ( _cnt312>=1 ) { goto _loop312; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+								if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 							}
 							
-							_cnt312++;
+							_cnt317++;
 						}
-						_loop312:;
+						_loop317:;
 						}  // ( ... )+
 						}
 						if ( inputState->guessing==0 ) {
-#line 2264 "pix.g"
+#line 2302 "pix.g"
 							_ttype = NUMBER;
-#line 1197 "PIXCfgLexer.cpp"
+#line 1201 "PIXCfgLexer.cpp"
 						}
 					}
 					else if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) {
 						{ // ( ... )+
-						int _cnt314=0;
+						int _cnt319=0;
 						for (;;) {
 							if (((LA(1) >= 0x30 /* '0' */  && LA(1) <= 0x39 /* '9' */ ))) {
 								mDIGIT(false);
 							}
 							else {
-								if ( _cnt314>=1 ) { goto _loop314; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
+								if ( _cnt319>=1 ) { goto _loop319; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
 							}
 							
-							_cnt314++;
+							_cnt319++;
 						}
-						_loop314:;
+						_loop319:;
 						}  // ( ... )+
 						if ( inputState->guessing==0 ) {
-#line 2266 "pix.g"
+#line 2304 "pix.g"
 							_ttype = INT_CONST;
-#line 1218 "PIXCfgLexer.cpp"
+#line 1222 "PIXCfgLexer.cpp"
 						}
 					}
 				else {
@@ -1312,13 +1316,28 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 						break;
 					}
 					case 0x2a /* '*' */ :
+					{
+						match('*' /* charlit */ );
+						break;
+					}
 					case 0x2b /* '+' */ :
-					case 0x2c /* ',' */ :
+					{
+						match('+' /* charlit */ );
+						break;
+					}
 					case 0x2d /* '-' */ :
+					{
+						match('-' /* charlit */ );
+						break;
+					}
 					case 0x2e /* '.' */ :
+					{
+						match('.' /* charlit */ );
+						break;
+					}
 					case 0x2f /* '/' */ :
 					{
-						matchRange('*','/');
+						match('/' /* charlit */ );
 						break;
 					}
 					case 0x30 /* '0' */ :
@@ -1452,16 +1471,16 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
 					}
 					default:
 					{
-						goto _loop334;
+						goto _loop339;
 					}
 					}
 				}
-				_loop334:;
+				_loop339:;
 				} // ( ... )*
 				if ( inputState->guessing==0 ) {
-#line 2289 "pix.g"
+#line 2329 "pix.g"
 					_ttype = WORD;
-#line 1465 "PIXCfgLexer.cpp"
+#line 1484 "PIXCfgLexer.cpp"
 				}
 			}
 	else {
@@ -1503,11 +1522,11 @@ void PIXCfgLexer::mSTRING(bool _createToken) {
 			matchNot('\"' /* charlit */ );
 		}
 		else {
-			goto _loop337;
+			goto _loop342;
 		}
 		
 	}
-	_loop337:;
+	_loop342:;
 	} // ( ... )*
 	match('\"' /* charlit */ );
 	if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@@ -1889,7 +1908,7 @@ const unsigned long PIXCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL,
 // 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 
 // 0x90 0x91 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 
 // 0x9e 0x9f 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 
-// 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 
+// 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_0(_tokenSet_0_data_,16);
 const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14 
@@ -1900,7 +1919,7 @@ const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 429496729
 // 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91 
 // 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f 
 // 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad 
-// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 
+// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_1(_tokenSet_1_data_,16);
 const unsigned long PIXCfgLexer::_tokenSet_2_data_[] = { 0UL, 67043328UL, 0UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // 0 1 2 3 4 5 6 7 8 9 a b c d e f 
@@ -1924,6 +1943,6 @@ const unsigned long PIXCfgLexer::_tokenSet_6_data_[] = { 4294967288UL, 429496729
 // 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91 
 // 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f 
 // 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad 
-// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 
+// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_6(_tokenSet_6_data_,16);
 
diff --git a/src/parsers/PIXCfgParser.cpp b/src/parsers/PIXCfgParser.cpp
index 350710208..285d24582 100644
--- a/src/parsers/PIXCfgParser.cpp
+++ b/src/parsers/PIXCfgParser.cpp
@@ -45,7 +45,6 @@ PIXCfgParser::PIXCfgParser(const ANTLR_USE_NAMESPACE(antlr)ParserSharedInputStat
 }
 
 void PIXCfgParser::cfgfile() {
-	Tracer traceInOut(this, "cfgfile");
 	
 	try {      // for error handling
 		{ // ( ... )+
@@ -164,6 +163,11 @@ void PIXCfgParser::cfgfile() {
 				timeout_command();
 				break;
 			}
+			case DNS:
+			{
+				dns_command();
+				break;
+			}
 			case WORD:
 			{
 				unknown_command();
@@ -222,7 +226,6 @@ void PIXCfgParser::cfgfile() {
 }
 
 void PIXCfgParser::comment() {
-	Tracer traceInOut(this, "comment");
 	
 	try {      // for error handling
 		{
@@ -255,7 +258,6 @@ void PIXCfgParser::comment() {
 }
 
 void PIXCfgParser::version() {
-	Tracer traceInOut(this, "version");
 	
 	try {      // for error handling
 		{
@@ -279,14 +281,14 @@ void PIXCfgParser::version() {
 		match(VERSION_WORD);
 		match(NUMBER);
 		if ( inputState->guessing==0 ) {
-#line 824 "pix.g"
+#line 836 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->setDiscoveredVersion(LT(0)->getText());
 			*dbg << "VERSION " << LT(0)->getText() << std::endl;
 			consumeUntil(NEWLINE);
 			
-#line 290 "PIXCfgParser.cpp"
+#line 292 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -300,7 +302,6 @@ void PIXCfgParser::version() {
 }
 
 void PIXCfgParser::hostname() {
-	Tracer traceInOut(this, "hostname");
 	
 	try {      // for error handling
 		match(HOSTNAME);
@@ -323,7 +324,7 @@ void PIXCfgParser::hostname() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 834 "pix.g"
+#line 846 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->setHostName( LT(0)->getText() );
@@ -331,7 +332,7 @@ void PIXCfgParser::hostname() {
 			<< "LT0=" << LT(0)->getText()
 			<< std::endl;
 			
-#line 335 "PIXCfgParser.cpp"
+#line 336 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -345,13 +346,12 @@ void PIXCfgParser::hostname() {
 }
 
 void PIXCfgParser::community_list_command() {
-	Tracer traceInOut(this, "community_list_command");
 	
 	try {      // for error handling
 		match(IP);
 		match(COMMUNITY_LIST);
 		if ( inputState->guessing==0 ) {
-#line 193 "pix.g"
+#line 195 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
@@ -369,17 +369,16 @@ void PIXCfgParser::community_list_command() {
 }
 
 void PIXCfgParser::unknown_ip_command() {
-	Tracer traceInOut(this, "unknown_ip_command");
 	
 	try {      // for error handling
 		match(IP);
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 793 "pix.g"
+#line 798 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
-#line 383 "PIXCfgParser.cpp"
+#line 382 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -393,7 +392,6 @@ void PIXCfgParser::unknown_ip_command() {
 }
 
 void PIXCfgParser::intrface() {
-	Tracer traceInOut(this, "intrface");
 	
 	try {      // for error handling
 		match(INTRFACE);
@@ -421,35 +419,34 @@ void PIXCfgParser::intrface() {
 }
 
 void PIXCfgParser::nameif_top_level() {
-	Tracer traceInOut(this, "nameif_top_level");
-#line 1387 "pix.g"
+#line 1399 "pix.g"
 	
 	std::string intf_name, intf_label, sec_level;
 	
-#line 430 "PIXCfgParser.cpp"
+#line 427 "PIXCfgParser.cpp"
 	
 	try {      // for error handling
 		match(NAMEIF);
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 1392 "pix.g"
+#line 1404 "pix.g"
 			intf_name = LT(0)->getText();
-#line 438 "PIXCfgParser.cpp"
+#line 435 "PIXCfgParser.cpp"
 		}
 		interface_label();
 		if ( inputState->guessing==0 ) {
-#line 1393 "pix.g"
+#line 1405 "pix.g"
 			intf_label = LT(0)->getText();
-#line 444 "PIXCfgParser.cpp"
+#line 441 "PIXCfgParser.cpp"
 		}
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 1394 "pix.g"
+#line 1406 "pix.g"
 			sec_level = LT(0)->getText();
-#line 450 "PIXCfgParser.cpp"
+#line 447 "PIXCfgParser.cpp"
 		}
 		if ( inputState->guessing==0 ) {
-#line 1395 "pix.g"
+#line 1407 "pix.g"
 			
 			importer->setInterfaceParametes(intf_name, intf_label, sec_level);
 			*dbg << " NAMEIF: "
@@ -457,7 +454,7 @@ void PIXCfgParser::nameif_top_level() {
 			<< intf_label << " "
 			<< sec_level << std::endl;
 			
-#line 461 "PIXCfgParser.cpp"
+#line 458 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -471,17 +468,16 @@ void PIXCfgParser::nameif_top_level() {
 }
 
 void PIXCfgParser::controller() {
-	Tracer traceInOut(this, "controller");
 	
 	try {      // for error handling
 		match(CONTROLLER);
 		if ( inputState->guessing==0 ) {
-#line 1299 "pix.g"
+#line 1311 "pix.g"
 			
 			importer->clearCurrentInterface();
 			consumeUntil(NEWLINE);
 			
-#line 485 "PIXCfgParser.cpp"
+#line 481 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -495,7 +491,6 @@ void PIXCfgParser::controller() {
 }
 
 void PIXCfgParser::access_list_commands() {
-	Tracer traceInOut(this, "access_list_commands");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -503,7 +498,7 @@ void PIXCfgParser::access_list_commands() {
 		name = LT(1);
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 846 "pix.g"
+#line 858 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -512,7 +507,7 @@ void PIXCfgParser::access_list_commands() {
 			*dbg << name->getLine() << ":"
 			<< " ACL ext " << name->getText() << std::endl;
 			
-#line 516 "PIXCfgParser.cpp"
+#line 511 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -551,12 +546,12 @@ void PIXCfgParser::access_list_commands() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 869 "pix.g"
+#line 881 "pix.g"
 			
 			*dbg << LT(0)->getLine() << ":"
 			<< " ACL line end" << std::endl << std::endl;
 			
-#line 560 "PIXCfgParser.cpp"
+#line 555 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -570,16 +565,15 @@ void PIXCfgParser::access_list_commands() {
 }
 
 void PIXCfgParser::ssh_command() {
-	Tracer traceInOut(this, "ssh_command");
 	
 	try {      // for error handling
 		match(SSH);
 		if ( inputState->guessing==0 ) {
-#line 1634 "pix.g"
+#line 1646 "pix.g"
 			
 			importer->clear();
 			
-#line 583 "PIXCfgParser.cpp"
+#line 577 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -589,6 +583,18 @@ void PIXCfgParser::ssh_command() {
 			match(TIMEOUT);
 			match(INT_CONST);
 			}
+			if ( inputState->guessing==0 ) {
+#line 1651 "pix.g"
+				
+				// set ssh timeout here
+				
+#line 592 "PIXCfgParser.cpp"
+			}
+			break;
+		}
+		case SCOPY:
+		{
+			match(SCOPY);
 			break;
 		}
 		case IPV4:
@@ -601,16 +607,16 @@ void PIXCfgParser::ssh_command() {
 			{
 			hostaddr_expr();
 			if ( inputState->guessing==0 ) {
-#line 1641 "pix.g"
+#line 1659 "pix.g"
 				
 				importer->SaveTmpAddrToSrc();
 				
-#line 609 "PIXCfgParser.cpp"
+#line 615 "PIXCfgParser.cpp"
 			}
 			interface_label();
 			}
 			if ( inputState->guessing==0 ) {
-#line 1646 "pix.g"
+#line 1664 "pix.g"
 				
 				std::string intf_label = LT(0)->getText();
 				std::string acl_name = "ssh_commands_" + intf_label;
@@ -627,7 +633,7 @@ void PIXCfgParser::ssh_command() {
 				importer->pushRule();
 				*dbg << std::endl;
 				
-#line 631 "PIXCfgParser.cpp"
+#line 637 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -649,16 +655,15 @@ void PIXCfgParser::ssh_command() {
 }
 
 void PIXCfgParser::telnet_command() {
-	Tracer traceInOut(this, "telnet_command");
 	
 	try {      // for error handling
 		match(TELNET);
 		if ( inputState->guessing==0 ) {
-#line 1666 "pix.g"
+#line 1684 "pix.g"
 			
 			importer->clear();
 			
-#line 662 "PIXCfgParser.cpp"
+#line 667 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -680,16 +685,16 @@ void PIXCfgParser::telnet_command() {
 			{
 			hostaddr_expr();
 			if ( inputState->guessing==0 ) {
-#line 1673 "pix.g"
+#line 1691 "pix.g"
 				
 				importer->SaveTmpAddrToSrc();
 				
-#line 688 "PIXCfgParser.cpp"
+#line 693 "PIXCfgParser.cpp"
 			}
 			interface_label();
 			}
 			if ( inputState->guessing==0 ) {
-#line 1678 "pix.g"
+#line 1696 "pix.g"
 				
 				std::string intf_label = LT(0)->getText();
 				std::string acl_name = "telnet_commands_" + intf_label;
@@ -706,7 +711,7 @@ void PIXCfgParser::telnet_command() {
 				importer->pushRule();
 				*dbg << std::endl;
 				
-#line 710 "PIXCfgParser.cpp"
+#line 715 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -728,7 +733,6 @@ void PIXCfgParser::telnet_command() {
 }
 
 void PIXCfgParser::icmp_top_level_command() {
-	Tracer traceInOut(this, "icmp_top_level_command");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  permit = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  deny = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -741,11 +745,11 @@ void PIXCfgParser::icmp_top_level_command() {
 			{
 			match(UNREACHABLE);
 			if ( inputState->guessing==0 ) {
-#line 1707 "pix.g"
+#line 1725 "pix.g"
 				
 				consumeUntil(NEWLINE);
 				
-#line 749 "PIXCfgParser.cpp"
+#line 753 "PIXCfgParser.cpp"
 			}
 			}
 			break;
@@ -775,19 +779,19 @@ void PIXCfgParser::icmp_top_level_command() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 1714 "pix.g"
+#line 1732 "pix.g"
 				
 				importer->clear();
 				
-#line 783 "PIXCfgParser.cpp"
+#line 787 "PIXCfgParser.cpp"
 			}
 			hostaddr_expr();
 			if ( inputState->guessing==0 ) {
-#line 1718 "pix.g"
+#line 1736 "pix.g"
 				
 				importer->SaveTmpAddrToSrc();
 				
-#line 791 "PIXCfgParser.cpp"
+#line 795 "PIXCfgParser.cpp"
 			}
 			{
 			switch ( LA(1)) {
@@ -813,7 +817,7 @@ void PIXCfgParser::icmp_top_level_command() {
 			}
 			interface_label();
 			if ( inputState->guessing==0 ) {
-#line 1723 "pix.g"
+#line 1741 "pix.g"
 				
 				std::string intf_label = LT(0)->getText();
 				std::string acl_name = "icmp_commands_" + intf_label;
@@ -828,7 +832,7 @@ void PIXCfgParser::icmp_top_level_command() {
 				acl_name, intf_label, "in" );
 				importer->pushRule();
 				
-#line 832 "PIXCfgParser.cpp"
+#line 836 "PIXCfgParser.cpp"
 			}
 			}
 			break;
@@ -851,20 +855,19 @@ void PIXCfgParser::icmp_top_level_command() {
 }
 
 void PIXCfgParser::nat_old_top_level_command() {
-	Tracer traceInOut(this, "nat_old_top_level_command");
 	
 	try {      // for error handling
 		match(NAT);
 		match(OPENING_PAREN);
 		interface_label();
 		if ( inputState->guessing==0 ) {
-#line 1809 "pix.g"
+#line 1827 "pix.g"
 			importer->prenat_interface = LT(0)->getText();
-#line 864 "PIXCfgParser.cpp"
+#line 867 "PIXCfgParser.cpp"
 		}
 		match(CLOSING_PAREN);
 		if ( inputState->guessing==0 ) {
-#line 1811 "pix.g"
+#line 1829 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -873,25 +876,25 @@ void PIXCfgParser::nat_old_top_level_command() {
 			importer->rule_type = libfwbuilder::NATRule::SNAT;
 			
 			
-#line 877 "PIXCfgParser.cpp"
+#line 880 "PIXCfgParser.cpp"
 		}
 		match(INT_CONST);
 		if ( inputState->guessing==0 ) {
-#line 1822 "pix.g"
+#line 1840 "pix.g"
 			
 			importer->nat_num = LT(0)->getText();
 			
-#line 885 "PIXCfgParser.cpp"
+#line 888 "PIXCfgParser.cpp"
 		}
 		nat_addr_match();
 		nat_command_last_parameters();
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 1834 "pix.g"
+#line 1852 "pix.g"
 			
 			importer->pushNATRule();
 			
-#line 895 "PIXCfgParser.cpp"
+#line 898 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -905,7 +908,6 @@ void PIXCfgParser::nat_old_top_level_command() {
 }
 
 void PIXCfgParser::global_top_level_command() {
-	Tracer traceInOut(this, "global_top_level_command");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  num = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -913,15 +915,15 @@ void PIXCfgParser::global_top_level_command() {
 		match(OPENING_PAREN);
 		interface_label();
 		if ( inputState->guessing==0 ) {
-#line 1880 "pix.g"
+#line 1898 "pix.g"
 			importer->global_interface = LT(0)->getText();
-#line 919 "PIXCfgParser.cpp"
+#line 921 "PIXCfgParser.cpp"
 		}
 		match(CLOSING_PAREN);
 		num = LT(1);
 		match(INT_CONST);
 		if ( inputState->guessing==0 ) {
-#line 1882 "pix.g"
+#line 1900 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -932,14 +934,14 @@ void PIXCfgParser::global_top_level_command() {
 			<< importer->global_interface
 			<< std::endl;
 			
-#line 936 "PIXCfgParser.cpp"
+#line 938 "PIXCfgParser.cpp"
 		}
 		if ( inputState->guessing==0 ) {
-#line 1892 "pix.g"
+#line 1910 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
-#line 943 "PIXCfgParser.cpp"
+#line 945 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -953,35 +955,46 @@ void PIXCfgParser::global_top_level_command() {
 }
 
 void PIXCfgParser::static_top_level_command() {
-	Tracer traceInOut(this, "static_top_level_command");
-	ANTLR_USE_NAMESPACE(antlr)RefToken  prenat_intf = ANTLR_USE_NAMESPACE(antlr)nullToken;
-	ANTLR_USE_NAMESPACE(antlr)RefToken  postnat_intf = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
 		match(STATIC);
-		match(OPENING_PAREN);
-		prenat_intf = LT(1);
-		match(WORD);
-		match(COMMA);
-		postnat_intf = LT(1);
-		match(WORD);
-		match(CLOSING_PAREN);
 		if ( inputState->guessing==0 ) {
-#line 1900 "pix.g"
+#line 1917 "pix.g"
 			
 			importer->clear();
+			
+#line 967 "PIXCfgParser.cpp"
+		}
+		match(OPENING_PAREN);
+		interface_label();
+		if ( inputState->guessing==0 ) {
+#line 1921 "pix.g"
+			importer->prenat_interface = LT(0)->getText();
+#line 974 "PIXCfgParser.cpp"
+		}
+		match(COMMA);
+		interface_label();
+		if ( inputState->guessing==0 ) {
+#line 1923 "pix.g"
+			importer->postnat_interface = LT(0)->getText();
+#line 981 "PIXCfgParser.cpp"
+		}
+		match(CLOSING_PAREN);
+		if ( inputState->guessing==0 ) {
+#line 1925 "pix.g"
+			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME );
-			*dbg << " DNAT rule " << std::endl;
+			importer->newNATRule();
+			*dbg << " DNAT rule ";
 			importer->rule_type = libfwbuilder::NATRule::DNAT;
-			importer->prenat_interface = prenat_intf->getText();
-			importer->postnat_interface = postnat_intf->getText();
 			
-#line 981 "PIXCfgParser.cpp"
+#line 993 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
-		case HOST:
+		case IPV4:
+		case IPV6:
 		case INTRFACE:
 		{
 			static_starts_with_hostaddr();
@@ -1001,11 +1014,12 @@ void PIXCfgParser::static_top_level_command() {
 		}
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 1919 "pix.g"
+#line 1942 "pix.g"
 			
 			importer->pushNATRule();
+			*dbg << std::endl;
 			
-#line 1009 "PIXCfgParser.cpp"
+#line 1023 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1019,7 +1033,6 @@ void PIXCfgParser::static_top_level_command() {
 }
 
 void PIXCfgParser::access_group() {
-	Tracer traceInOut(this, "access_group");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  aclname = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  dir = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -1032,7 +1045,7 @@ void PIXCfgParser::access_group() {
 		match(INTRFACE);
 		interface_label();
 		if ( inputState->guessing==0 ) {
-#line 1782 "pix.g"
+#line 1800 "pix.g"
 			
 			std::string intf_label = LT(0)->getText();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1045,7 +1058,7 @@ void PIXCfgParser::access_group() {
 			<< " " << intf_label
 			<< " " << dir->getText() << std::endl;
 			
-#line 1049 "PIXCfgParser.cpp"
+#line 1062 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1059,7 +1072,6 @@ void PIXCfgParser::access_group() {
 }
 
 void PIXCfgParser::exit() {
-	Tracer traceInOut(this, "exit");
 	
 	try {      // for error handling
 		match(EXIT);
@@ -1075,18 +1087,17 @@ void PIXCfgParser::exit() {
 }
 
 void PIXCfgParser::certificate() {
-	Tracer traceInOut(this, "certificate");
 	
 	try {      // for error handling
 		match(CERTIFICATE);
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 816 "pix.g"
+#line 828 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			consumeUntil(QUIT);
 			
-#line 1090 "PIXCfgParser.cpp"
+#line 1101 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1100,16 +1111,15 @@ void PIXCfgParser::certificate() {
 }
 
 void PIXCfgParser::quit() {
-	Tracer traceInOut(this, "quit");
 	
 	try {      // for error handling
 		match(QUIT);
 		if ( inputState->guessing==0 ) {
-#line 186 "pix.g"
+#line 188 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
-#line 1113 "PIXCfgParser.cpp"
+#line 1123 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1123,12 +1133,11 @@ void PIXCfgParser::quit() {
 }
 
 void PIXCfgParser::names_section() {
-	Tracer traceInOut(this, "names_section");
 	
 	try {      // for error handling
 		match(NAMES);
 		if ( inputState->guessing==0 ) {
-#line 207 "pix.g"
+#line 209 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->addMessageToLog(
@@ -1136,7 +1145,7 @@ void PIXCfgParser::names_section() {
 			"Import of configuration that uses \"names\" "
 			"is not supported at this time");
 			
-#line 1140 "PIXCfgParser.cpp"
+#line 1149 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1150,7 +1159,6 @@ void PIXCfgParser::names_section() {
 }
 
 void PIXCfgParser::name_entry() {
-	Tracer traceInOut(this, "name_entry");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  a = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  v6 = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  n = ANTLR_USE_NAMESPACE(antlr)nullToken;
@@ -1180,7 +1188,7 @@ void PIXCfgParser::name_entry() {
 		n = LT(1);
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 217 "pix.g"
+#line 219 "pix.g"
 			
 			if (a)
 			{
@@ -1196,7 +1204,7 @@ void PIXCfgParser::name_entry() {
 			consumeUntil(NEWLINE);
 			}
 			
-#line 1200 "PIXCfgParser.cpp"
+#line 1208 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1210,7 +1218,6 @@ void PIXCfgParser::name_entry() {
 }
 
 void PIXCfgParser::named_object_network() {
-	Tracer traceInOut(this, "named_object_network");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -1220,7 +1227,7 @@ void PIXCfgParser::named_object_network() {
 		match(WORD);
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 250 "pix.g"
+#line 252 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1228,7 +1235,7 @@ void PIXCfgParser::named_object_network() {
 			*dbg << name->getLine() << ":"
 			<< " Named Object " << name->getText() << std::endl;
 			
-#line 1232 "PIXCfgParser.cpp"
+#line 1239 "PIXCfgParser.cpp"
 		}
 		{ // ( ... )*
 		for (;;) {
@@ -1268,7 +1275,6 @@ void PIXCfgParser::named_object_network() {
 }
 
 void PIXCfgParser::named_object_service() {
-	Tracer traceInOut(this, "named_object_service");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -1278,7 +1284,7 @@ void PIXCfgParser::named_object_service() {
 		match(WORD);
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 354 "pix.g"
+#line 359 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1286,7 +1292,7 @@ void PIXCfgParser::named_object_service() {
 			*dbg << name->getLine() << ":"
 			<< " Named Object " << name->getText() << std::endl;
 			
-#line 1290 "PIXCfgParser.cpp"
+#line 1296 "PIXCfgParser.cpp"
 		}
 		{ // ( ... )*
 		for (;;) {
@@ -1312,7 +1318,6 @@ void PIXCfgParser::named_object_service() {
 }
 
 void PIXCfgParser::object_group_network() {
-	Tracer traceInOut(this, "object_group_network");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -1322,7 +1327,7 @@ void PIXCfgParser::object_group_network() {
 		match(WORD);
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 470 "pix.g"
+#line 475 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1330,7 +1335,7 @@ void PIXCfgParser::object_group_network() {
 			*dbg << name->getLine() << ":"
 			<< " Object Group " << name->getText() << std::endl;
 			
-#line 1334 "PIXCfgParser.cpp"
+#line 1339 "PIXCfgParser.cpp"
 		}
 		{ // ( ... )*
 		for (;;) {
@@ -1356,7 +1361,6 @@ void PIXCfgParser::object_group_network() {
 }
 
 void PIXCfgParser::object_group_service() {
-	Tracer traceInOut(this, "object_group_service");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  tcp = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  udp = ANTLR_USE_NAMESPACE(antlr)nullToken;
@@ -1399,7 +1403,7 @@ void PIXCfgParser::object_group_service() {
 		}
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 692 "pix.g"
+#line 697 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1410,7 +1414,7 @@ void PIXCfgParser::object_group_service() {
 			*dbg << name->getLine() << ":"
 			<< " Object Group " << name->getText() << std::endl;
 			
-#line 1414 "PIXCfgParser.cpp"
+#line 1418 "PIXCfgParser.cpp"
 		}
 		{ // ( ... )*
 		for (;;) {
@@ -1436,7 +1440,6 @@ void PIXCfgParser::object_group_service() {
 }
 
 void PIXCfgParser::object_group_protocol() {
-	Tracer traceInOut(this, "object_group_protocol");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -1446,7 +1449,7 @@ void PIXCfgParser::object_group_protocol() {
 		match(WORD);
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 568 "pix.g"
+#line 573 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1454,7 +1457,7 @@ void PIXCfgParser::object_group_protocol() {
 			*dbg << name->getLine() << ":"
 			<< " Object Group " << name->getText() << std::endl;
 			
-#line 1458 "PIXCfgParser.cpp"
+#line 1461 "PIXCfgParser.cpp"
 		}
 		{ // ( ... )+
 		int _cnt61=0;
@@ -1482,7 +1485,6 @@ void PIXCfgParser::object_group_protocol() {
 }
 
 void PIXCfgParser::object_group_icmp_8_0() {
-	Tracer traceInOut(this, "object_group_icmp_8_0");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -1492,7 +1494,7 @@ void PIXCfgParser::object_group_icmp_8_0() {
 		match(WORD);
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 623 "pix.g"
+#line 628 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1500,7 +1502,7 @@ void PIXCfgParser::object_group_icmp_8_0() {
 			*dbg << name->getLine() << ":"
 			<< " Object Group " << name->getText() << std::endl;
 			
-#line 1504 "PIXCfgParser.cpp"
+#line 1506 "PIXCfgParser.cpp"
 		}
 		{ // ( ... )*
 		for (;;) {
@@ -1526,7 +1528,6 @@ void PIXCfgParser::object_group_icmp_8_0() {
 }
 
 void PIXCfgParser::object_group_icmp_8_3() {
-	Tracer traceInOut(this, "object_group_icmp_8_3");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -1536,7 +1537,7 @@ void PIXCfgParser::object_group_icmp_8_3() {
 		match(WORD);
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 636 "pix.g"
+#line 641 "pix.g"
 			
 			importer->clear();
 			importer->setCurrentLineNumber(LT(0)->getLine());
@@ -1544,7 +1545,7 @@ void PIXCfgParser::object_group_icmp_8_3() {
 			*dbg << name->getLine() << ":"
 			<< " Object Group " << name->getText() << std::endl;
 			
-#line 1548 "PIXCfgParser.cpp"
+#line 1549 "PIXCfgParser.cpp"
 		}
 		{ // ( ... )*
 		for (;;) {
@@ -1570,12 +1571,11 @@ void PIXCfgParser::object_group_icmp_8_3() {
 }
 
 void PIXCfgParser::crypto() {
-	Tracer traceInOut(this, "crypto");
 	
 	try {      // for error handling
 		match(CRYPTO);
 		if ( inputState->guessing==0 ) {
-#line 786 "pix.g"
+#line 791 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
@@ -1593,18 +1593,17 @@ void PIXCfgParser::crypto() {
 }
 
 void PIXCfgParser::no_commands() {
-	Tracer traceInOut(this, "no_commands");
 	
 	try {      // for error handling
 		match(NO);
 		if ( inputState->guessing==0 ) {
-#line 807 "pix.g"
+#line 819 "pix.g"
 			
 			*dbg << " TOP LEVEL \"NO\" COMMAND: "
 			<< LT(0)->getText() << std::endl;
 			consumeUntil(NEWLINE);
 			
-#line 1608 "PIXCfgParser.cpp"
+#line 1607 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1618,16 +1617,37 @@ void PIXCfgParser::no_commands() {
 }
 
 void PIXCfgParser::timeout_command() {
-	Tracer traceInOut(this, "timeout_command");
 	
 	try {      // for error handling
 		match(TIMEOUT);
 		if ( inputState->guessing==0 ) {
-#line 200 "pix.g"
+#line 202 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
-#line 1631 "PIXCfgParser.cpp"
+#line 1629 "PIXCfgParser.cpp"
+		}
+	}
+	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
+		if( inputState->guessing == 0 ) {
+			reportError(ex);
+			recover(ex,_tokenSet_1);
+		} else {
+			throw;
+		}
+	}
+}
+
+void PIXCfgParser::dns_command() {
+	
+	try {      // for error handling
+		match(DNS);
+		if ( inputState->guessing==0 ) {
+#line 812 "pix.g"
+			
+			consumeUntil(NEWLINE);
+			
+#line 1651 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1641,16 +1661,15 @@ void PIXCfgParser::timeout_command() {
 }
 
 void PIXCfgParser::unknown_command() {
-	Tracer traceInOut(this, "unknown_command");
 	
 	try {      // for error handling
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 800 "pix.g"
+#line 805 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
-#line 1654 "PIXCfgParser.cpp"
+#line 1673 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1664,7 +1683,6 @@ void PIXCfgParser::unknown_command() {
 }
 
 void PIXCfgParser::ip_protocol_names() {
-	Tracer traceInOut(this, "ip_protocol_names");
 	
 	try {      // for error handling
 		{
@@ -1762,14 +1780,13 @@ void PIXCfgParser::ip_protocol_names() {
 }
 
 void PIXCfgParser::named_object_nat() {
-	Tracer traceInOut(this, "named_object_nat");
 	
 	try {      // for error handling
 		match(NAT);
 		match(OPENING_PAREN);
 		interface_label();
 		if ( inputState->guessing==0 ) {
-#line 278 "pix.g"
+#line 280 "pix.g"
 			
 			importer->addMessageToLog(
 			"Parser warning: "
@@ -1777,7 +1794,7 @@ void PIXCfgParser::named_object_nat() {
 			"is not supported at this time");
 			consumeUntil(NEWLINE);
 			
-#line 1781 "PIXCfgParser.cpp"
+#line 1798 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1791,12 +1808,11 @@ void PIXCfgParser::named_object_nat() {
 }
 
 void PIXCfgParser::named_object_description() {
-	Tracer traceInOut(this, "named_object_description");
 	
 	try {      // for error handling
 		match(DESCRIPTION);
 		if ( inputState->guessing==0 ) {
-#line 288 "pix.g"
+#line 290 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			*dbg << LT(1)->getLine() << ":";
@@ -1809,7 +1825,7 @@ void PIXCfgParser::named_object_description() {
 			importer->setNamedObjectDescription(descr);
 			*dbg << " DESCRIPTION " << descr << std::endl;
 			
-#line 1813 "PIXCfgParser.cpp"
+#line 1829 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1823,7 +1839,6 @@ void PIXCfgParser::named_object_description() {
 }
 
 void PIXCfgParser::named_object_network_parameters() {
-	Tracer traceInOut(this, "named_object_network_parameters");
 	
 	try {      // for error handling
 		{
@@ -1862,54 +1877,10 @@ void PIXCfgParser::named_object_network_parameters() {
 }
 
 void PIXCfgParser::host_addr() {
-	Tracer traceInOut(this, "host_addr");
-	ANTLR_USE_NAMESPACE(antlr)RefToken  h = ANTLR_USE_NAMESPACE(antlr)nullToken;
-	ANTLR_USE_NAMESPACE(antlr)RefToken  v6 = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
-		{
 		match(HOST);
-		{
-		switch ( LA(1)) {
-		case IPV4:
-		{
-			h = LT(1);
-			match(IPV4);
-			break;
-		}
-		case IPV6:
-		{
-			v6 = LT(1);
-			match(IPV6);
-			break;
-		}
-		default:
-		{
-			throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
-		}
-		}
-		}
-		}
-		if ( inputState->guessing==0 ) {
-#line 303 "pix.g"
-			
-			importer->setCurrentLineNumber(LT(0)->getLine());
-			if (h)
-			{
-			importer->tmp_a = h->getText();
-			importer->tmp_nm = "255.255.255.255";
-			importer->commitNamedAddressObject();
-			*dbg << h->getText() << "/255.255.255.255";
-			}
-			if (v6)
-			{
-			importer->addMessageToLog(
-			"Parser warning: IPv6 import is not supported. ");
-			consumeUntil(NEWLINE);
-			}
-			
-#line 1912 "PIXCfgParser.cpp"
-		}
+		single_addr();
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
@@ -1922,7 +1893,6 @@ void PIXCfgParser::host_addr() {
 }
 
 void PIXCfgParser::range_addr() {
-	Tracer traceInOut(this, "range_addr");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  r1 = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  r2 = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -1935,7 +1905,7 @@ void PIXCfgParser::range_addr() {
 		match(IPV4);
 		}
 		if ( inputState->guessing==0 ) {
-#line 322 "pix.g"
+#line 327 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->tmp_range_1 = r1->getText();
@@ -1943,7 +1913,7 @@ void PIXCfgParser::range_addr() {
 			importer->commitNamedAddressRangeObject();
 			*dbg << r1->getText() << "/" << r2->getText();
 			
-#line 1947 "PIXCfgParser.cpp"
+#line 1917 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -1957,7 +1927,6 @@ void PIXCfgParser::range_addr() {
 }
 
 void PIXCfgParser::subnet_addr() {
-	Tracer traceInOut(this, "subnet_addr");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  a = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  nm = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  v6 = ANTLR_USE_NAMESPACE(antlr)nullToken;
@@ -1991,7 +1960,7 @@ void PIXCfgParser::subnet_addr() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 332 "pix.g"
+#line 337 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			if (a)
@@ -2008,7 +1977,7 @@ void PIXCfgParser::subnet_addr() {
 			consumeUntil(NEWLINE);
 			}
 			
-#line 2012 "PIXCfgParser.cpp"
+#line 1981 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2022,7 +1991,6 @@ void PIXCfgParser::subnet_addr() {
 }
 
 void PIXCfgParser::interface_label() {
-	Tracer traceInOut(this, "interface_label");
 	
 	try {      // for error handling
 		switch ( LA(1)) {
@@ -2052,8 +2020,63 @@ void PIXCfgParser::interface_label() {
 	}
 }
 
+void PIXCfgParser::single_addr() {
+	ANTLR_USE_NAMESPACE(antlr)RefToken  h = ANTLR_USE_NAMESPACE(antlr)nullToken;
+	ANTLR_USE_NAMESPACE(antlr)RefToken  v6 = ANTLR_USE_NAMESPACE(antlr)nullToken;
+	
+	try {      // for error handling
+		{
+		switch ( LA(1)) {
+		case IPV4:
+		{
+			h = LT(1);
+			match(IPV4);
+			break;
+		}
+		case IPV6:
+		{
+			v6 = LT(1);
+			match(IPV6);
+			break;
+		}
+		default:
+		{
+			throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
+		}
+		}
+		}
+		if ( inputState->guessing==0 ) {
+#line 308 "pix.g"
+			
+			importer->setCurrentLineNumber(LT(0)->getLine());
+			if (h)
+			{
+			importer->tmp_a = h->getText();
+			importer->tmp_nm = "255.255.255.255";
+			importer->commitNamedAddressObject();
+			*dbg << h->getText() << "/255.255.255.255";
+			}
+			if (v6)
+			{
+			importer->addMessageToLog(
+			"Parser warning: IPv6 import is not supported. ");
+			consumeUntil(NEWLINE);
+			}
+			
+#line 2067 "PIXCfgParser.cpp"
+		}
+	}
+	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
+		if( inputState->guessing == 0 ) {
+			reportError(ex);
+			recover(ex,_tokenSet_11);
+		} else {
+			throw;
+		}
+	}
+}
+
 void PIXCfgParser::named_object_service_parameters() {
-	Tracer traceInOut(this, "named_object_service_parameters");
 	
 	try {      // for error handling
 		{
@@ -2066,7 +2089,7 @@ void PIXCfgParser::named_object_service_parameters() {
 		else if ((LA(1) == SERVICE) && (LA(2) == TCP || LA(2) == UDP)) {
 			service_tcp_udp();
 		}
-		else if ((LA(1) == SERVICE) && (_tokenSet_11.member(LA(2)))) {
+		else if ((LA(1) == SERVICE) && (_tokenSet_12.member(LA(2)))) {
 			service_other();
 		}
 		else if ((LA(1) == SERVICE) && (LA(2) == WORD)) {
@@ -2085,7 +2108,7 @@ void PIXCfgParser::named_object_service_parameters() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_12);
+			recover(ex,_tokenSet_13);
 		} else {
 			throw;
 		}
@@ -2093,7 +2116,6 @@ void PIXCfgParser::named_object_service_parameters() {
 }
 
 void PIXCfgParser::service_icmp() {
-	Tracer traceInOut(this, "service_icmp");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -2106,11 +2128,11 @@ void PIXCfgParser::service_icmp() {
 			icmp_type = LT(1);
 			match(INT_CONST);
 			if ( inputState->guessing==0 ) {
-#line 386 "pix.g"
+#line 391 "pix.g"
 				
 				importer->icmp_type = LT(0)->getText();
 				
-#line 2114 "PIXCfgParser.cpp"
+#line 2136 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -2136,11 +2158,11 @@ void PIXCfgParser::service_icmp() {
 		{
 			icmp_names();
 			if ( inputState->guessing==0 ) {
-#line 391 "pix.g"
+#line 396 "pix.g"
 				
 				importer->icmp_spec = LT(0)->getText();
 				
-#line 2144 "PIXCfgParser.cpp"
+#line 2166 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -2151,13 +2173,13 @@ void PIXCfgParser::service_icmp() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 395 "pix.g"
+#line 400 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->commitNamedICMPServiceObject();
 			*dbg << "NAMED OBJECT SERVICE ICMP " << LT(0)->getText() << " ";
 			
-#line 2161 "PIXCfgParser.cpp"
+#line 2183 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2171,7 +2193,6 @@ void PIXCfgParser::service_icmp() {
 }
 
 void PIXCfgParser::service_icmp6() {
-	Tracer traceInOut(this, "service_icmp6");
 	
 	try {      // for error handling
 		match(SERVICE);
@@ -2195,7 +2216,7 @@ void PIXCfgParser::service_icmp6() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 403 "pix.g"
+#line 408 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->addMessageToLog("Parser warning: "
@@ -2204,7 +2225,7 @@ void PIXCfgParser::service_icmp6() {
 			*dbg << "NAMED OBJECT SERVICE ICMP6 " << LT(0)->getText() << " ";
 			consumeUntil(NEWLINE);
 			
-#line 2208 "PIXCfgParser.cpp"
+#line 2229 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2218,7 +2239,6 @@ void PIXCfgParser::service_icmp6() {
 }
 
 void PIXCfgParser::service_tcp_udp() {
-	Tracer traceInOut(this, "service_tcp_udp");
 	
 	try {      // for error handling
 		match(SERVICE);
@@ -2241,12 +2261,12 @@ void PIXCfgParser::service_tcp_udp() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 414 "pix.g"
+#line 419 "pix.g"
 			
 			importer->protocol = LT(0)->getText();
 			*dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " ";
 			
-#line 2250 "PIXCfgParser.cpp"
+#line 2270 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -2294,12 +2314,12 @@ void PIXCfgParser::service_tcp_udp() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 420 "pix.g"
+#line 425 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->commitNamedTCPUDPServiceObject();
 			
-#line 2303 "PIXCfgParser.cpp"
+#line 2323 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2313,7 +2333,6 @@ void PIXCfgParser::service_tcp_udp() {
 }
 
 void PIXCfgParser::service_other() {
-	Tracer traceInOut(this, "service_other");
 	
 	try {      // for error handling
 		match(SERVICE);
@@ -2350,14 +2369,14 @@ void PIXCfgParser::service_other() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 439 "pix.g"
+#line 444 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->protocol = LT(0)->getText();
 			importer->commitNamedIPServiceObject();
 			*dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " ";
 			
-#line 2361 "PIXCfgParser.cpp"
+#line 2380 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2371,13 +2390,12 @@ void PIXCfgParser::service_other() {
 }
 
 void PIXCfgParser::service_unknown() {
-	Tracer traceInOut(this, "service_unknown");
 	
 	try {      // for error handling
 		match(SERVICE);
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 454 "pix.g"
+#line 459 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->protocol = "ip";
@@ -2388,7 +2406,7 @@ void PIXCfgParser::service_unknown() {
 			importer->addMessageToLog(err);
 			*dbg << "UNKNOWN SERVICE " << LT(0)->getText() << " ";
 			
-#line 2392 "PIXCfgParser.cpp"
+#line 2410 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2402,7 +2420,6 @@ void PIXCfgParser::service_unknown() {
 }
 
 void PIXCfgParser::icmp_names() {
-	Tracer traceInOut(this, "icmp_names");
 	
 	try {      // for error handling
 		{
@@ -2509,30 +2526,6 @@ void PIXCfgParser::icmp_names() {
 		}
 		}
 	}
-	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
-		if( inputState->guessing == 0 ) {
-			reportError(ex);
-			recover(ex,_tokenSet_13);
-		} else {
-			throw;
-		}
-	}
-}
-
-void PIXCfgParser::src_port_spec() {
-	Tracer traceInOut(this, "src_port_spec");
-	
-	try {      // for error handling
-		match(SOURCE);
-		xoperator();
-		if ( inputState->guessing==0 ) {
-#line 427 "pix.g"
-			
-			importer->SaveTmpPortToSrc();
-			
-#line 2534 "PIXCfgParser.cpp"
-		}
-	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
@@ -2543,8 +2536,30 @@ void PIXCfgParser::src_port_spec() {
 	}
 }
 
+void PIXCfgParser::src_port_spec() {
+	
+	try {      // for error handling
+		match(SOURCE);
+		xoperator();
+		if ( inputState->guessing==0 ) {
+#line 432 "pix.g"
+			
+			importer->SaveTmpPortToSrc();
+			
+#line 2550 "PIXCfgParser.cpp"
+		}
+	}
+	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
+		if( inputState->guessing == 0 ) {
+			reportError(ex);
+			recover(ex,_tokenSet_15);
+		} else {
+			throw;
+		}
+	}
+}
+
 void PIXCfgParser::dst_port_spec() {
-	Tracer traceInOut(this, "dst_port_spec");
 	
 	try {      // for error handling
 		{
@@ -2570,11 +2585,11 @@ void PIXCfgParser::dst_port_spec() {
 		}
 		xoperator();
 		if ( inputState->guessing==0 ) {
-#line 433 "pix.g"
+#line 438 "pix.g"
 			
 			importer->SaveTmpPortToDst();
 			
-#line 2578 "PIXCfgParser.cpp"
+#line 2593 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2588,7 +2603,6 @@ void PIXCfgParser::dst_port_spec() {
 }
 
 void PIXCfgParser::xoperator() {
-	Tracer traceInOut(this, "xoperator");
 	
 	try {      // for error handling
 		switch ( LA(1)) {
@@ -2614,7 +2628,7 @@ void PIXCfgParser::xoperator() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_15);
+			recover(ex,_tokenSet_16);
 		} else {
 			throw;
 		}
@@ -2622,7 +2636,6 @@ void PIXCfgParser::xoperator() {
 }
 
 void PIXCfgParser::object_group_network_parameters() {
-	Tracer traceInOut(this, "object_group_network_parameters");
 	
 	try {      // for error handling
 		{
@@ -2653,7 +2666,7 @@ void PIXCfgParser::object_group_network_parameters() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_16);
+			recover(ex,_tokenSet_17);
 		} else {
 			throw;
 		}
@@ -2661,12 +2674,11 @@ void PIXCfgParser::object_group_network_parameters() {
 }
 
 void PIXCfgParser::object_group_description() {
-	Tracer traceInOut(this, "object_group_description");
 	
 	try {      // for error handling
 		match(DESCRIPTION);
 		if ( inputState->guessing==0 ) {
-#line 494 "pix.g"
+#line 499 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			*dbg << LT(1)->getLine() << ":";
@@ -2679,7 +2691,7 @@ void PIXCfgParser::object_group_description() {
 			importer->setObjectGroupDescription(descr);
 			*dbg << " DESCRIPTION " << descr << std::endl;
 			
-#line 2683 "PIXCfgParser.cpp"
+#line 2695 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2693,7 +2705,6 @@ void PIXCfgParser::object_group_description() {
 }
 
 void PIXCfgParser::group_object() {
-	Tracer traceInOut(this, "group_object");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -2701,14 +2712,14 @@ void PIXCfgParser::group_object() {
 		name = LT(1);
 		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 509 "pix.g"
+#line 514 "pix.g"
 			
 			importer->clearTempVars();
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->addNamedObjectToObjectGroup(name->getText());
 			*dbg << " GROUP MEMBER " << name->getLine() << std::endl;
 			
-#line 2712 "PIXCfgParser.cpp"
+#line 2723 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -2722,7 +2733,6 @@ void PIXCfgParser::group_object() {
 }
 
 void PIXCfgParser::network_object() {
-	Tracer traceInOut(this, "network_object");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  a = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  nm = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  v6 = ANTLR_USE_NAMESPACE(antlr)nullToken;
@@ -2733,12 +2743,12 @@ void PIXCfgParser::network_object() {
 	try {      // for error handling
 		match(NETWORK_OBJECT);
 		if ( inputState->guessing==0 ) {
-#line 518 "pix.g"
+#line 523 "pix.g"
 			
 			importer->clearTempVars();
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			
-#line 2742 "PIXCfgParser.cpp"
+#line 2752 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -2770,7 +2780,7 @@ void PIXCfgParser::network_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 524 "pix.g"
+#line 529 "pix.g"
 				
 				if (a)
 				{
@@ -2786,7 +2796,7 @@ void PIXCfgParser::network_object() {
 				consumeUntil(NEWLINE);
 				}
 				
-#line 2790 "PIXCfgParser.cpp"
+#line 2800 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -2814,7 +2824,7 @@ void PIXCfgParser::network_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 541 "pix.g"
+#line 546 "pix.g"
 				
 				if (h)
 				{
@@ -2830,7 +2840,7 @@ void PIXCfgParser::network_object() {
 				consumeUntil(NEWLINE);
 				}
 				
-#line 2834 "PIXCfgParser.cpp"
+#line 2844 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -2840,12 +2850,12 @@ void PIXCfgParser::network_object() {
 			name = LT(1);
 			match(WORD);
 			if ( inputState->guessing==0 ) {
-#line 558 "pix.g"
+#line 563 "pix.g"
 				
 				importer->addNamedObjectToObjectGroup(name->getText());
 				*dbg << " GROUP MEMBER " << name->getLine() << std::endl;
 				
-#line 2849 "PIXCfgParser.cpp"
+#line 2859 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -2867,7 +2877,6 @@ void PIXCfgParser::network_object() {
 }
 
 void PIXCfgParser::object_group_protocol_parameters() {
-	Tracer traceInOut(this, "object_group_protocol_parameters");
 	
 	try {      // for error handling
 		{
@@ -2898,7 +2907,7 @@ void PIXCfgParser::object_group_protocol_parameters() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_17);
+			recover(ex,_tokenSet_18);
 		} else {
 			throw;
 		}
@@ -2906,18 +2915,17 @@ void PIXCfgParser::object_group_protocol_parameters() {
 }
 
 void PIXCfgParser::protocol_object() {
-	Tracer traceInOut(this, "protocol_object");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
 		match(PROTOCOL_OBJECT);
 		if ( inputState->guessing==0 ) {
-#line 592 "pix.g"
+#line 597 "pix.g"
 			
 			importer->clearTempVars();
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			
-#line 2921 "PIXCfgParser.cpp"
+#line 2929 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -2989,14 +2997,14 @@ void PIXCfgParser::protocol_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 598 "pix.g"
+#line 603 "pix.g"
 				
 				importer->setCurrentLineNumber(LT(0)->getLine());
 				importer->protocol = LT(0)->getText();
 				importer->addIPServiceToObjectGroup();
 				*dbg << " GROUP MEMBER " << LT(0)->getText() << " ";
 				
-#line 3000 "PIXCfgParser.cpp"
+#line 3008 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3004,13 +3012,13 @@ void PIXCfgParser::protocol_object() {
 		{
 			match(ICMP6);
 			if ( inputState->guessing==0 ) {
-#line 606 "pix.g"
+#line 611 "pix.g"
 				
 				importer->addMessageToLog(
 				"Parser warning: IPv6 import is not supported. ");
 				consumeUntil(NEWLINE);
 				
-#line 3014 "PIXCfgParser.cpp"
+#line 3022 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3020,12 +3028,12 @@ void PIXCfgParser::protocol_object() {
 			name = LT(1);
 			match(WORD);
 			if ( inputState->guessing==0 ) {
-#line 613 "pix.g"
+#line 618 "pix.g"
 				
 				importer->addNamedObjectToObjectGroup(name->getText());
 				*dbg << " GROUP MEMBER " << name->getLine() << std::endl;
 				
-#line 3029 "PIXCfgParser.cpp"
+#line 3037 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3047,7 +3055,6 @@ void PIXCfgParser::protocol_object() {
 }
 
 void PIXCfgParser::object_group_icmp_parameters() {
-	Tracer traceInOut(this, "object_group_icmp_parameters");
 	
 	try {      // for error handling
 		{
@@ -3078,7 +3085,7 @@ void PIXCfgParser::object_group_icmp_parameters() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_18);
+			recover(ex,_tokenSet_19);
 		} else {
 			throw;
 		}
@@ -3086,19 +3093,18 @@ void PIXCfgParser::object_group_icmp_parameters() {
 }
 
 void PIXCfgParser::icmp_object() {
-	Tracer traceInOut(this, "icmp_object");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
 		match(ICMP_OBJECT);
 		if ( inputState->guessing==0 ) {
-#line 660 "pix.g"
+#line 665 "pix.g"
 			
 			importer->clearTempVars();
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			
-#line 3102 "PIXCfgParser.cpp"
+#line 3108 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -3130,11 +3136,11 @@ void PIXCfgParser::icmp_object() {
 				icmp_type = LT(1);
 				match(INT_CONST);
 				if ( inputState->guessing==0 ) {
-#line 667 "pix.g"
+#line 672 "pix.g"
 					
 					importer->icmp_type = LT(0)->getText();
 					
-#line 3138 "PIXCfgParser.cpp"
+#line 3144 "PIXCfgParser.cpp"
 				}
 				break;
 			}
@@ -3160,11 +3166,11 @@ void PIXCfgParser::icmp_object() {
 			{
 				icmp_names();
 				if ( inputState->guessing==0 ) {
-#line 672 "pix.g"
+#line 677 "pix.g"
 					
 					importer->icmp_spec = LT(0)->getText();
 					
-#line 3168 "PIXCfgParser.cpp"
+#line 3174 "PIXCfgParser.cpp"
 				}
 				break;
 			}
@@ -3175,12 +3181,12 @@ void PIXCfgParser::icmp_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 676 "pix.g"
+#line 681 "pix.g"
 				
 				importer->addICMPServiceToObjectGroup();
 				*dbg << " SERVICE ICMP " << LT(0)->getText() << " ";
 				
-#line 3184 "PIXCfgParser.cpp"
+#line 3190 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3190,12 +3196,12 @@ void PIXCfgParser::icmp_object() {
 			name = LT(1);
 			match(WORD);
 			if ( inputState->guessing==0 ) {
-#line 682 "pix.g"
+#line 687 "pix.g"
 				
 				importer->addNamedObjectToObjectGroup(name->getText());
 				*dbg << " GROUP MEMBER " << name->getLine() << std::endl;
 				
-#line 3199 "PIXCfgParser.cpp"
+#line 3205 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3217,7 +3223,6 @@ void PIXCfgParser::icmp_object() {
 }
 
 void PIXCfgParser::object_group_service_parameters() {
-	Tracer traceInOut(this, "object_group_service_parameters");
 	
 	try {      // for error handling
 		{
@@ -3253,7 +3258,7 @@ void PIXCfgParser::object_group_service_parameters() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_19);
+			recover(ex,_tokenSet_20);
 		} else {
 			throw;
 		}
@@ -3261,19 +3266,18 @@ void PIXCfgParser::object_group_service_parameters() {
 }
 
 void PIXCfgParser::service_object() {
-	Tracer traceInOut(this, "service_object");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
 		match(SERVICE_OBJECT);
 		if ( inputState->guessing==0 ) {
-#line 721 "pix.g"
+#line 726 "pix.g"
 			
 			importer->clearTempVars();
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			
-#line 3277 "PIXCfgParser.cpp"
+#line 3281 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -3327,14 +3331,14 @@ void PIXCfgParser::service_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 727 "pix.g"
+#line 732 "pix.g"
 				
 				importer->setCurrentLineNumber(LT(0)->getLine());
 				importer->protocol = LT(0)->getText();
 				importer->addIPServiceToObjectGroup();
 				*dbg << " GROUP MEMBER " << LT(0)->getText() << " ";
 				
-#line 3338 "PIXCfgParser.cpp"
+#line 3342 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3366,12 +3370,12 @@ void PIXCfgParser::service_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 735 "pix.g"
+#line 740 "pix.g"
 				
 				importer->protocol = LT(0)->getText();
 				*dbg << " SERVICE TCP/UDP" << LT(0)->getText() << " ";
 				
-#line 3375 "PIXCfgParser.cpp"
+#line 3379 "PIXCfgParser.cpp"
 			}
 			{
 			switch ( LA(1)) {
@@ -3419,11 +3423,11 @@ void PIXCfgParser::service_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 741 "pix.g"
+#line 746 "pix.g"
 				
 				importer->addTCPUDPServiceToObjectGroup();
 				
-#line 3427 "PIXCfgParser.cpp"
+#line 3431 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3437,11 +3441,11 @@ void PIXCfgParser::service_object() {
 				icmp_type = LT(1);
 				match(INT_CONST);
 				if ( inputState->guessing==0 ) {
-#line 748 "pix.g"
+#line 753 "pix.g"
 					
 					importer->icmp_type = LT(0)->getText();
 					
-#line 3445 "PIXCfgParser.cpp"
+#line 3449 "PIXCfgParser.cpp"
 				}
 				break;
 			}
@@ -3467,11 +3471,11 @@ void PIXCfgParser::service_object() {
 			{
 				icmp_names();
 				if ( inputState->guessing==0 ) {
-#line 753 "pix.g"
+#line 758 "pix.g"
 					
 					importer->icmp_spec = LT(0)->getText();
 					
-#line 3475 "PIXCfgParser.cpp"
+#line 3479 "PIXCfgParser.cpp"
 				}
 				break;
 			}
@@ -3482,12 +3486,12 @@ void PIXCfgParser::service_object() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 757 "pix.g"
+#line 762 "pix.g"
 				
 				importer->addICMPServiceToObjectGroup();
 				*dbg << " SERVICE ICMP " << LT(0)->getText() << " ";
 				
-#line 3491 "PIXCfgParser.cpp"
+#line 3495 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3497,12 +3501,12 @@ void PIXCfgParser::service_object() {
 			name = LT(1);
 			match(WORD);
 			if ( inputState->guessing==0 ) {
-#line 763 "pix.g"
+#line 768 "pix.g"
 				
 				importer->addNamedObjectToObjectGroup(name->getText());
 				*dbg << " GROUP MEMBER " << name->getLine() << std::endl;
 				
-#line 3506 "PIXCfgParser.cpp"
+#line 3510 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -3524,19 +3528,18 @@ void PIXCfgParser::service_object() {
 }
 
 void PIXCfgParser::port_object() {
-	Tracer traceInOut(this, "port_object");
-#line 770 "pix.g"
+#line 775 "pix.g"
 	
 	importer->tmp_port_spec = "";
 	importer->tmp_port_spec_2 = "";
 	
-#line 3534 "PIXCfgParser.cpp"
+#line 3537 "PIXCfgParser.cpp"
 	
 	try {      // for error handling
 		match(PORT_OBJECT);
 		xoperator();
 		if ( inputState->guessing==0 ) {
-#line 775 "pix.g"
+#line 780 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			*dbg << " PORT OBJECT TCP/UDP " << LT(0)->getText() << " " << std::endl;
@@ -3544,7 +3547,7 @@ void PIXCfgParser::port_object() {
 			importer->addTCPUDPServiceToObjectGroup();
 			*dbg << std::endl;
 			
-#line 3548 "PIXCfgParser.cpp"
+#line 3551 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3558,7 +3561,6 @@ void PIXCfgParser::port_object() {
 }
 
 void PIXCfgParser::permit_extended() {
-	Tracer traceInOut(this, "permit_extended");
 	
 	try {      // for error handling
 		{
@@ -3580,23 +3582,23 @@ void PIXCfgParser::permit_extended() {
 		}
 		match(PERMIT);
 		if ( inputState->guessing==0 ) {
-#line 877 "pix.g"
+#line 889 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->newPolicyRule();
 			importer->action = "permit";
 			*dbg << LT(1)->getLine() << ":" << " permit ";
 			
-#line 3591 "PIXCfgParser.cpp"
+#line 3593 "PIXCfgParser.cpp"
 		}
 		rule_extended();
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 884 "pix.g"
+#line 896 "pix.g"
 			
 			importer->pushRule();
 			
-#line 3600 "PIXCfgParser.cpp"
+#line 3602 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3610,7 +3612,6 @@ void PIXCfgParser::permit_extended() {
 }
 
 void PIXCfgParser::deny_extended() {
-	Tracer traceInOut(this, "deny_extended");
 	
 	try {      // for error handling
 		{
@@ -3632,23 +3633,23 @@ void PIXCfgParser::deny_extended() {
 		}
 		match(DENY);
 		if ( inputState->guessing==0 ) {
-#line 890 "pix.g"
+#line 902 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->newPolicyRule();
 			importer->action = "deny";
 			*dbg << LT(1)->getLine() << ":" << " deny   ";
 			
-#line 3643 "PIXCfgParser.cpp"
+#line 3644 "PIXCfgParser.cpp"
 		}
 		rule_extended();
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 897 "pix.g"
+#line 909 "pix.g"
 			
 			importer->pushRule();
 			
-#line 3652 "PIXCfgParser.cpp"
+#line 3653 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3662,13 +3663,12 @@ void PIXCfgParser::deny_extended() {
 }
 
 void PIXCfgParser::permit_standard() {
-	Tracer traceInOut(this, "permit_standard");
 	
 	try {      // for error handling
 		match(STANDARD);
 		match(PERMIT);
 		if ( inputState->guessing==0 ) {
-#line 903 "pix.g"
+#line 915 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->newPolicyRule();
@@ -3680,7 +3680,7 @@ void PIXCfgParser::permit_standard() {
 		rule_standard();
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 910 "pix.g"
+#line 922 "pix.g"
 			
 			importer->pushRule();
 			
@@ -3698,29 +3698,28 @@ void PIXCfgParser::permit_standard() {
 }
 
 void PIXCfgParser::deny_standard() {
-	Tracer traceInOut(this, "deny_standard");
 	
 	try {      // for error handling
 		match(STANDARD);
 		match(DENY);
 		if ( inputState->guessing==0 ) {
-#line 916 "pix.g"
+#line 928 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->newPolicyRule();
 			importer->action = "deny";
 			*dbg << LT(1)->getLine() << ":" << " deny   ";
 			
-#line 3715 "PIXCfgParser.cpp"
+#line 3714 "PIXCfgParser.cpp"
 		}
 		rule_standard();
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 923 "pix.g"
+#line 935 "pix.g"
 			
 			importer->pushRule();
 			
-#line 3724 "PIXCfgParser.cpp"
+#line 3723 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3734,12 +3733,11 @@ void PIXCfgParser::deny_standard() {
 }
 
 void PIXCfgParser::remark() {
-	Tracer traceInOut(this, "remark");
 	
 	try {      // for error handling
 		match(REMARK);
 		if ( inputState->guessing==0 ) {
-#line 1764 "pix.g"
+#line 1782 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			*dbg << LT(1)->getLine() << ":";
@@ -3753,7 +3751,7 @@ void PIXCfgParser::remark() {
 			*dbg << " REMARK " << rem << std::endl;
 			//consumeUntil(NEWLINE);
 			
-#line 3757 "PIXCfgParser.cpp"
+#line 3755 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3767,7 +3765,6 @@ void PIXCfgParser::remark() {
 }
 
 void PIXCfgParser::rule_extended() {
-	Tracer traceInOut(this, "rule_extended");
 	
 	try {      // for error handling
 		{
@@ -3794,15 +3791,15 @@ void PIXCfgParser::rule_extended() {
 			ip_protocols();
 			hostaddr_expr();
 			if ( inputState->guessing==0 ) {
-#line 948 "pix.g"
+#line 960 "pix.g"
 				importer->SaveTmpAddrToSrc(); *dbg << "(src) ";
-#line 3800 "PIXCfgParser.cpp"
+#line 3797 "PIXCfgParser.cpp"
 			}
 			hostaddr_expr();
 			if ( inputState->guessing==0 ) {
-#line 949 "pix.g"
+#line 961 "pix.g"
 				importer->SaveTmpAddrToDst(); *dbg << "(dst) ";
-#line 3806 "PIXCfgParser.cpp"
+#line 3803 "PIXCfgParser.cpp"
 			}
 			{
 			switch ( LA(1)) {
@@ -3867,24 +3864,24 @@ void PIXCfgParser::rule_extended() {
 		{
 			match(ICMP);
 			if ( inputState->guessing==0 ) {
-#line 955 "pix.g"
+#line 967 "pix.g"
 				
 				importer->protocol = LT(0)->getText();
 				*dbg << "protocol " << LT(0)->getText() << " ";
 				
-#line 3876 "PIXCfgParser.cpp"
+#line 3873 "PIXCfgParser.cpp"
 			}
 			hostaddr_expr();
 			if ( inputState->guessing==0 ) {
-#line 959 "pix.g"
+#line 971 "pix.g"
 				importer->SaveTmpAddrToSrc(); *dbg << "(src) ";
-#line 3882 "PIXCfgParser.cpp"
+#line 3879 "PIXCfgParser.cpp"
 			}
 			hostaddr_expr();
 			if ( inputState->guessing==0 ) {
-#line 960 "pix.g"
+#line 972 "pix.g"
 				importer->SaveTmpAddrToDst(); *dbg << "(dst) ";
-#line 3888 "PIXCfgParser.cpp"
+#line 3885 "PIXCfgParser.cpp"
 			}
 			{
 			switch ( LA(1)) {
@@ -3998,11 +3995,11 @@ void PIXCfgParser::rule_extended() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 968 "pix.g"
+#line 980 "pix.g"
 			
 			*dbg << std::endl;
 			
-#line 4006 "PIXCfgParser.cpp"
+#line 4003 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -4016,26 +4013,25 @@ void PIXCfgParser::rule_extended() {
 }
 
 void PIXCfgParser::rule_standard() {
-	Tracer traceInOut(this, "rule_standard");
 	
 	try {      // for error handling
 		if ( inputState->guessing==0 ) {
-#line 933 "pix.g"
+#line 945 "pix.g"
 			
 			importer->tmp_a = "0.0.0.0";
 			importer->tmp_nm = "0.0.0.0";
 			importer->SaveTmpAddrToSrc();
 			
-#line 4030 "PIXCfgParser.cpp"
+#line 4026 "PIXCfgParser.cpp"
 		}
 		hostaddr_expr();
 		if ( inputState->guessing==0 ) {
-#line 939 "pix.g"
+#line 951 "pix.g"
 			
 			importer->SaveTmpAddrToDst();
 			*dbg << "(dst) " << std::endl;
 			
-#line 4039 "PIXCfgParser.cpp"
+#line 4035 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -4049,7 +4045,6 @@ void PIXCfgParser::rule_standard() {
 }
 
 void PIXCfgParser::hostaddr_expr() {
-	Tracer traceInOut(this, "hostaddr_expr");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  h = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  a = ANTLR_USE_NAMESPACE(antlr)nullToken;
@@ -4062,13 +4057,13 @@ void PIXCfgParser::hostaddr_expr() {
 			match(INTRFACE);
 			interface_label();
 			if ( inputState->guessing==0 ) {
-#line 1209 "pix.g"
+#line 1221 "pix.g"
 				
 				importer->tmp_a = LT(0)->getText();
 				importer->tmp_nm = "interface";
 				*dbg << "object " << LT(0)->getText() << " ";
 				
-#line 4072 "PIXCfgParser.cpp"
+#line 4067 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4098,13 +4093,13 @@ void PIXCfgParser::hostaddr_expr() {
 			match(WORD);
 			}
 			if ( inputState->guessing==0 ) {
-#line 1216 "pix.g"
+#line 1228 "pix.g"
 				
 				importer->tmp_a = name->getText();
 				importer->tmp_nm = "";
 				*dbg << "object " << name->getText() << " ";
 				
-#line 4108 "PIXCfgParser.cpp"
+#line 4103 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4116,13 +4111,13 @@ void PIXCfgParser::hostaddr_expr() {
 			match(IPV4);
 			}
 			if ( inputState->guessing==0 ) {
-#line 1223 "pix.g"
+#line 1235 "pix.g"
 				
 				importer->tmp_a = h->getText();
 				importer->tmp_nm = "255.255.255.255";
 				*dbg << h->getText() << "/255.255.255.255";
 				
-#line 4126 "PIXCfgParser.cpp"
+#line 4121 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4135,13 +4130,13 @@ void PIXCfgParser::hostaddr_expr() {
 			match(IPV4);
 			}
 			if ( inputState->guessing==0 ) {
-#line 1230 "pix.g"
+#line 1242 "pix.g"
 				
 				importer->tmp_a = a->getText();
 				importer->tmp_nm = m->getText();
 				*dbg << a->getText() << "/" << m->getText();
 				
-#line 4145 "PIXCfgParser.cpp"
+#line 4140 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4149,13 +4144,13 @@ void PIXCfgParser::hostaddr_expr() {
 		{
 			match(ANY);
 			if ( inputState->guessing==0 ) {
-#line 1237 "pix.g"
+#line 1249 "pix.g"
 				
 				importer->tmp_a = "0.0.0.0";
 				importer->tmp_nm = "0.0.0.0";
 				*dbg << "0.0.0.0/0.0.0.0";
 				
-#line 4159 "PIXCfgParser.cpp"
+#line 4154 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4168,7 +4163,7 @@ void PIXCfgParser::hostaddr_expr() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_20);
+			recover(ex,_tokenSet_21);
 		} else {
 			throw;
 		}
@@ -4176,7 +4171,6 @@ void PIXCfgParser::hostaddr_expr() {
 }
 
 void PIXCfgParser::ip_protocols() {
-	Tracer traceInOut(this, "ip_protocols");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -4232,12 +4226,12 @@ void PIXCfgParser::ip_protocols() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 1156 "pix.g"
+#line 1168 "pix.g"
 				
 				importer->protocol = LT(0)->getText();
 				*dbg << "protocol " << LT(0)->getText() << " ";
 				
-#line 4241 "PIXCfgParser.cpp"
+#line 4235 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4267,12 +4261,12 @@ void PIXCfgParser::ip_protocols() {
 			match(WORD);
 			}
 			if ( inputState->guessing==0 ) {
-#line 1162 "pix.g"
+#line 1174 "pix.g"
 				
 				importer->protocol = name->getText();
 				*dbg << "protocol " << name->getText() << " ";
 				
-#line 4276 "PIXCfgParser.cpp"
+#line 4270 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4283,33 +4277,6 @@ void PIXCfgParser::ip_protocols() {
 		}
 		}
 	}
-	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
-		if( inputState->guessing == 0 ) {
-			reportError(ex);
-			recover(ex,_tokenSet_21);
-		} else {
-			throw;
-		}
-	}
-}
-
-void PIXCfgParser::time_range() {
-	Tracer traceInOut(this, "time_range");
-	ANTLR_USE_NAMESPACE(antlr)RefToken  tr_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
-	
-	try {      // for error handling
-		match(TIME_RANGE);
-		tr_name = LT(1);
-		match(WORD);
-		if ( inputState->guessing==0 ) {
-#line 1289 "pix.g"
-			
-			importer->time_range_name = tr_name->getText();
-			*dbg << "time_range " << tr_name->getText() << " ";
-			
-#line 4311 "PIXCfgParser.cpp"
-		}
-	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
@@ -4320,18 +4287,20 @@ void PIXCfgParser::time_range() {
 	}
 }
 
-void PIXCfgParser::fragments() {
-	Tracer traceInOut(this, "fragments");
+void PIXCfgParser::time_range() {
+	ANTLR_USE_NAMESPACE(antlr)RefToken  tr_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
-		match(FRAGMENTS);
+		match(TIME_RANGE);
+		tr_name = LT(1);
+		match(WORD);
 		if ( inputState->guessing==0 ) {
-#line 1282 "pix.g"
+#line 1301 "pix.g"
 			
-			importer->fragments = true;
-			*dbg << "fragments ";
+			importer->time_range_name = tr_name->getText();
+			*dbg << "time_range " << tr_name->getText() << " ";
 			
-#line 4335 "PIXCfgParser.cpp"
+#line 4304 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -4344,8 +4313,30 @@ void PIXCfgParser::fragments() {
 	}
 }
 
+void PIXCfgParser::fragments() {
+	
+	try {      // for error handling
+		match(FRAGMENTS);
+		if ( inputState->guessing==0 ) {
+#line 1294 "pix.g"
+			
+			importer->fragments = true;
+			*dbg << "fragments ";
+			
+#line 4327 "PIXCfgParser.cpp"
+		}
+	}
+	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
+		if( inputState->guessing == 0 ) {
+			reportError(ex);
+			recover(ex,_tokenSet_24);
+		} else {
+			throw;
+		}
+	}
+}
+
 void PIXCfgParser::log() {
-	Tracer traceInOut(this, "log");
 	
 	try {      // for error handling
 		{
@@ -4367,11 +4358,11 @@ void PIXCfgParser::log() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1248 "pix.g"
+#line 1260 "pix.g"
 			
 			importer->logging = true;
 			
-#line 4375 "PIXCfgParser.cpp"
+#line 4366 "PIXCfgParser.cpp"
 		}
 		{
 		{
@@ -4452,9 +4443,9 @@ void PIXCfgParser::log() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 1265 "pix.g"
+#line 1277 "pix.g"
 				importer->log_level = LT(0)->getText();
-#line 4458 "PIXCfgParser.cpp"
+#line 4449 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4478,9 +4469,9 @@ void PIXCfgParser::log() {
 			match(INT_CONST);
 			}
 			if ( inputState->guessing==0 ) {
-#line 1270 "pix.g"
+#line 1282 "pix.g"
 				importer->log_interval = LT(0)->getText();
-#line 4484 "PIXCfgParser.cpp"
+#line 4475 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4496,14 +4487,14 @@ void PIXCfgParser::log() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1273 "pix.g"
+#line 1285 "pix.g"
 			
 			//        if (importer->log_level == "log") importer->log_level = "";
 			//        if (importer->log_interval == "log") importer->log_interval = "";
 			*dbg << "logging level '" << importer->log_level
 			<< "' interval '" << importer->log_interval << "'";
 			
-#line 4507 "PIXCfgParser.cpp"
+#line 4498 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -4517,7 +4508,6 @@ void PIXCfgParser::log() {
 }
 
 void PIXCfgParser::icmp_spec() {
-	Tracer traceInOut(this, "icmp_spec");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  icmp_type = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  icmp_code = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -4533,7 +4523,7 @@ void PIXCfgParser::icmp_spec() {
 			match(INT_CONST);
 			}
 			if ( inputState->guessing==0 ) {
-#line 1172 "pix.g"
+#line 1184 "pix.g"
 				
 				importer->icmp_type = icmp_type->getText();
 				importer->icmp_code = icmp_code->getText();
@@ -4541,7 +4531,7 @@ void PIXCfgParser::icmp_spec() {
 				*dbg << icmp_type->getText() << " "
 				<< icmp_code->getText() << " ";
 				
-#line 4545 "PIXCfgParser.cpp"
+#line 4535 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4567,12 +4557,12 @@ void PIXCfgParser::icmp_spec() {
 		{
 			icmp_names();
 			if ( inputState->guessing==0 ) {
-#line 1181 "pix.g"
+#line 1193 "pix.g"
 				
 				importer->icmp_spec = LT(0)->getText();
 				*dbg << LT(0)->getText() << " ";
 				
-#line 4576 "PIXCfgParser.cpp"
+#line 4566 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -4586,7 +4576,7 @@ void PIXCfgParser::icmp_spec() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_13);
+			recover(ex,_tokenSet_14);
 		} else {
 			throw;
 		}
@@ -4594,7 +4584,6 @@ void PIXCfgParser::icmp_spec() {
 }
 
 void PIXCfgParser::tcp_udp_rule_extended() {
-	Tracer traceInOut(this, "tcp_udp_rule_extended");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  src_grp_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  dst_addr_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -4618,24 +4607,24 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 975 "pix.g"
+#line 987 "pix.g"
 			
 			importer->protocol = LT(0)->getText();
 			*dbg << "protocol " << LT(0)->getText() << " ";
 			
-#line 4627 "PIXCfgParser.cpp"
+#line 4616 "PIXCfgParser.cpp"
 		}
 		hostaddr_expr();
 		if ( inputState->guessing==0 ) {
-#line 979 "pix.g"
+#line 991 "pix.g"
 			importer->SaveTmpAddrToSrc(); *dbg << "(src) ";
-#line 4633 "PIXCfgParser.cpp"
+#line 4622 "PIXCfgParser.cpp"
 		}
 		{
-		bool synPredMatched123 = false;
-		if (((_tokenSet_21.member(LA(1))) && (_tokenSet_24.member(LA(2))))) {
-			int _m123 = mark();
-			synPredMatched123 = true;
+		bool synPredMatched124 = false;
+		if (((_tokenSet_22.member(LA(1))) && (_tokenSet_25.member(LA(2))))) {
+			int _m124 = mark();
+			synPredMatched124 = true;
 			inputState->guessing++;
 			try {
 				{
@@ -4643,46 +4632,46 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 				}
 			}
 			catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
-				synPredMatched123 = false;
+				synPredMatched124 = false;
 			}
-			rewind(_m123);
+			rewind(_m124);
 			inputState->guessing--;
 		}
-		if ( synPredMatched123 ) {
+		if ( synPredMatched124 ) {
 			{
 			if (((LA(1) == OBJECT_GROUP) && (LA(2) == WORD))&&( importer->isKnownServiceGroupName(LT(2)->getText()) )) {
 				match(OBJECT_GROUP);
 				src_grp_name = LT(1);
 				match(WORD);
 				if ( inputState->guessing==0 ) {
-#line 989 "pix.g"
+#line 1001 "pix.g"
 					
 					importer->src_port_spec = src_grp_name->getText();
 					*dbg << "src port spec: "
 					<< src_grp_name->getText() << std::endl;
 					
-#line 4665 "PIXCfgParser.cpp"
+#line 4654 "PIXCfgParser.cpp"
 				}
 				hostaddr_expr_1();
 				if ( inputState->guessing==0 ) {
-#line 997 "pix.g"
+#line 1009 "pix.g"
 					
 					importer->SaveTmpAddrToDst();
 					*dbg << "(dst) ";
 					
-#line 4674 "PIXCfgParser.cpp"
+#line 4663 "PIXCfgParser.cpp"
 				}
 				acl_tcp_udp_dst_port_spec();
 			}
-			else if ((_tokenSet_21.member(LA(1))) && (_tokenSet_24.member(LA(2)))) {
+			else if ((_tokenSet_22.member(LA(1))) && (_tokenSet_25.member(LA(2)))) {
 				hostaddr_expr_2();
 				if ( inputState->guessing==0 ) {
-#line 1006 "pix.g"
+#line 1018 "pix.g"
 					
 					importer->SaveTmpAddrToDst();
 					*dbg << "(dst) ";
 					
-#line 4686 "PIXCfgParser.cpp"
+#line 4675 "PIXCfgParser.cpp"
 				}
 				acl_tcp_udp_dst_port_spec();
 			}
@@ -4697,10 +4686,10 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 			dst_addr_name = LT(1);
 			match(WORD);
 			{
-			if ((_tokenSet_25.member(LA(1))) && (_tokenSet_26.member(LA(2)))) {
+			if ((_tokenSet_26.member(LA(1))) && (_tokenSet_27.member(LA(2)))) {
 				acl_xoperator_dst();
 			}
-			else if ((_tokenSet_27.member(LA(1))) && (_tokenSet_28.member(LA(2)))) {
+			else if ((_tokenSet_28.member(LA(1))) && (_tokenSet_29.member(LA(2)))) {
 			}
 			else {
 				throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
@@ -4708,10 +4697,10 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 			
 			}
 			{
-			if ((LA(1) == ESTABLISHED) && (_tokenSet_27.member(LA(2)))) {
+			if ((LA(1) == ESTABLISHED) && (_tokenSet_28.member(LA(2)))) {
 				established();
 			}
-			else if ((_tokenSet_27.member(LA(1))) && (_tokenSet_29.member(LA(2)))) {
+			else if ((_tokenSet_28.member(LA(1))) && (_tokenSet_30.member(LA(2)))) {
 			}
 			else {
 				throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
@@ -4719,7 +4708,7 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 			
 			}
 			if ( inputState->guessing==0 ) {
-#line 1015 "pix.g"
+#line 1027 "pix.g"
 				
 				// looks like "object foo" at this point can only be dest addr.
 				// (judging by cli prompts on 8.3)
@@ -4728,11 +4717,11 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 				importer->SaveTmpAddrToDst();
 				*dbg << "dst addr object " << dst_addr_name->getText() << " ";
 				
-#line 4732 "PIXCfgParser.cpp"
+#line 4721 "PIXCfgParser.cpp"
 			}
 			acl_tcp_udp_dst_port_spec();
 		}
-		else if ((_tokenSet_30.member(LA(1))) && (_tokenSet_31.member(LA(2)))) {
+		else if ((_tokenSet_31.member(LA(1))) && (_tokenSet_32.member(LA(2)))) {
 			{
 			switch ( LA(1)) {
 			case RANGE:
@@ -4743,11 +4732,11 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 			{
 				xoperator();
 				if ( inputState->guessing==0 ) {
-#line 1029 "pix.g"
+#line 1041 "pix.g"
 					
 					importer->SaveTmpPortToSrc();
 					
-#line 4751 "PIXCfgParser.cpp"
+#line 4740 "PIXCfgParser.cpp"
 				}
 				break;
 			}
@@ -4768,9 +4757,9 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 			}
 			hostaddr_expr_3();
 			if ( inputState->guessing==0 ) {
-#line 1033 "pix.g"
+#line 1045 "pix.g"
 				importer->SaveTmpAddrToDst(); *dbg << "(dst) ";
-#line 4774 "PIXCfgParser.cpp"
+#line 4763 "PIXCfgParser.cpp"
 			}
 			acl_tcp_udp_dst_port_spec();
 		}
@@ -4848,7 +4837,6 @@ void PIXCfgParser::tcp_udp_rule_extended() {
 }
 
 void PIXCfgParser::hostaddr_expr_1() {
-	Tracer traceInOut(this, "hostaddr_expr_1");
 	
 	try {      // for error handling
 		hostaddr_expr();
@@ -4856,7 +4844,7 @@ void PIXCfgParser::hostaddr_expr_1() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_27);
+			recover(ex,_tokenSet_28);
 		} else {
 			throw;
 		}
@@ -4864,7 +4852,6 @@ void PIXCfgParser::hostaddr_expr_1() {
 }
 
 void PIXCfgParser::acl_tcp_udp_dst_port_spec() {
-	Tracer traceInOut(this, "acl_tcp_udp_dst_port_spec");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  dst_port_group_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  dst_port_obj_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -4878,13 +4865,13 @@ void PIXCfgParser::acl_tcp_udp_dst_port_spec() {
 			dst_port_group_name = LT(1);
 			match(WORD);
 			if ( inputState->guessing==0 ) {
-#line 1051 "pix.g"
+#line 1063 "pix.g"
 				
 				importer->dst_port_spec = dst_port_group_name->getText();
 				*dbg << "dst port spec: "
 				<< dst_port_group_name->getText() << std::endl;
 				
-#line 4888 "PIXCfgParser.cpp"
+#line 4875 "PIXCfgParser.cpp"
 			}
 			{
 			switch ( LA(1)) {
@@ -4916,13 +4903,13 @@ void PIXCfgParser::acl_tcp_udp_dst_port_spec() {
 			dst_port_obj_name = LT(1);
 			match(WORD);
 			if ( inputState->guessing==0 ) {
-#line 1061 "pix.g"
+#line 1073 "pix.g"
 				
 				importer->dst_port_spec = dst_port_obj_name->getText();
 				*dbg << "dst addr object " << dst_port_obj_name->getText()
 				<< std::endl;
 				
-#line 4926 "PIXCfgParser.cpp"
+#line 4913 "PIXCfgParser.cpp"
 			}
 			{
 			switch ( LA(1)) {
@@ -5018,7 +5005,7 @@ void PIXCfgParser::acl_tcp_udp_dst_port_spec() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_13);
+			recover(ex,_tokenSet_14);
 		} else {
 			throw;
 		}
@@ -5026,7 +5013,6 @@ void PIXCfgParser::acl_tcp_udp_dst_port_spec() {
 }
 
 void PIXCfgParser::hostaddr_expr_2() {
-	Tracer traceInOut(this, "hostaddr_expr_2");
 	
 	try {      // for error handling
 		hostaddr_expr();
@@ -5034,7 +5020,7 @@ void PIXCfgParser::hostaddr_expr_2() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_27);
+			recover(ex,_tokenSet_28);
 		} else {
 			throw;
 		}
@@ -5042,22 +5028,21 @@ void PIXCfgParser::hostaddr_expr_2() {
 }
 
 void PIXCfgParser::acl_xoperator_dst() {
-	Tracer traceInOut(this, "acl_xoperator_dst");
 	
 	try {      // for error handling
 		xoperator();
 		if ( inputState->guessing==0 ) {
-#line 1076 "pix.g"
+#line 1088 "pix.g"
 			
 			importer->SaveTmpPortToDst();
 			
-#line 5055 "PIXCfgParser.cpp"
+#line 5040 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_27);
+			recover(ex,_tokenSet_28);
 		} else {
 			throw;
 		}
@@ -5065,23 +5050,22 @@ void PIXCfgParser::acl_xoperator_dst() {
 }
 
 void PIXCfgParser::established() {
-	Tracer traceInOut(this, "established");
 	
 	try {      // for error handling
 		match(ESTABLISHED);
 		if ( inputState->guessing==0 ) {
-#line 1145 "pix.g"
+#line 1157 "pix.g"
 			
 			importer->established = true;
 			*dbg << "established ";
 			
-#line 5079 "PIXCfgParser.cpp"
+#line 5063 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_27);
+			recover(ex,_tokenSet_28);
 		} else {
 			throw;
 		}
@@ -5089,7 +5073,6 @@ void PIXCfgParser::established() {
 }
 
 void PIXCfgParser::hostaddr_expr_3() {
-	Tracer traceInOut(this, "hostaddr_expr_3");
 	
 	try {      // for error handling
 		hostaddr_expr();
@@ -5097,7 +5080,7 @@ void PIXCfgParser::hostaddr_expr_3() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_27);
+			recover(ex,_tokenSet_28);
 		} else {
 			throw;
 		}
@@ -5105,7 +5088,6 @@ void PIXCfgParser::hostaddr_expr_3() {
 }
 
 void PIXCfgParser::single_port_op() {
-	Tracer traceInOut(this, "single_port_op");
 	
 	try {      // for error handling
 		{
@@ -5137,19 +5119,19 @@ void PIXCfgParser::single_port_op() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1086 "pix.g"
+#line 1098 "pix.g"
 			
 			importer->tmp_port_op = LT(0)->getText();
 			*dbg << LT(0)->getText() << " ";
 			
-#line 5146 "PIXCfgParser.cpp"
+#line 5128 "PIXCfgParser.cpp"
 		}
 		port_spec();
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_15);
+			recover(ex,_tokenSet_16);
 		} else {
 			throw;
 		}
@@ -5157,24 +5139,23 @@ void PIXCfgParser::single_port_op() {
 }
 
 void PIXCfgParser::port_range() {
-	Tracer traceInOut(this, "port_range");
 	
 	try {      // for error handling
 		match(RANGE);
 		pair_of_ports_spec();
 		if ( inputState->guessing==0 ) {
-#line 1101 "pix.g"
+#line 1113 "pix.g"
 			
 			importer->tmp_port_op = "range";
 			*dbg << "range " << importer->tmp_port_spec;
 			
-#line 5172 "PIXCfgParser.cpp"
+#line 5153 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_15);
+			recover(ex,_tokenSet_16);
 		} else {
 			throw;
 		}
@@ -5182,23 +5163,22 @@ void PIXCfgParser::port_range() {
 }
 
 void PIXCfgParser::port_spec() {
-	Tracer traceInOut(this, "port_spec");
 	
 	try {      // for error handling
 		tcp_udp_port_spec();
 		if ( inputState->guessing==0 ) {
-#line 1094 "pix.g"
+#line 1106 "pix.g"
 			
 			importer->tmp_port_spec = std::string(" ") + importer->tmp_port_spec_2;
 			*dbg << LT(0)->getText() << " " << importer->tmp_port_spec;
 			
-#line 5196 "PIXCfgParser.cpp"
+#line 5176 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_15);
+			recover(ex,_tokenSet_16);
 		} else {
 			throw;
 		}
@@ -5206,7 +5186,6 @@ void PIXCfgParser::port_spec() {
 }
 
 void PIXCfgParser::tcp_udp_port_spec() {
-	Tracer traceInOut(this, "tcp_udp_port_spec");
 	
 	try {      // for error handling
 		{
@@ -5238,17 +5217,17 @@ void PIXCfgParser::tcp_udp_port_spec() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1125 "pix.g"
+#line 1137 "pix.g"
 			
 			importer->tmp_port_spec_2 = LT(0)->getText();
 			
-#line 5246 "PIXCfgParser.cpp"
+#line 5225 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_32);
+			recover(ex,_tokenSet_33);
 		} else {
 			throw;
 		}
@@ -5256,38 +5235,37 @@ void PIXCfgParser::tcp_udp_port_spec() {
 }
 
 void PIXCfgParser::pair_of_ports_spec() {
-	Tracer traceInOut(this, "pair_of_ports_spec");
 	
 	try {      // for error handling
 		if ( inputState->guessing==0 ) {
-#line 1108 "pix.g"
+#line 1120 "pix.g"
 			
 			importer->tmp_port_spec_2 = "";
 			
-#line 5268 "PIXCfgParser.cpp"
+#line 5246 "PIXCfgParser.cpp"
 		}
 		tcp_udp_port_spec();
 		if ( inputState->guessing==0 ) {
-#line 1112 "pix.g"
+#line 1124 "pix.g"
 			
 			importer->tmp_port_spec += importer->tmp_port_spec_2;
 			
-#line 5276 "PIXCfgParser.cpp"
+#line 5254 "PIXCfgParser.cpp"
 		}
 		tcp_udp_port_spec();
 		if ( inputState->guessing==0 ) {
-#line 1116 "pix.g"
+#line 1128 "pix.g"
 			
 			importer->tmp_port_spec += " ";
 			importer->tmp_port_spec += importer->tmp_port_spec_2;
 			
-#line 5285 "PIXCfgParser.cpp"
+#line 5263 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_15);
+			recover(ex,_tokenSet_16);
 		} else {
 			throw;
 		}
@@ -5295,7 +5273,6 @@ void PIXCfgParser::pair_of_ports_spec() {
 }
 
 void PIXCfgParser::tcp_udp_port_names() {
-	Tracer traceInOut(this, "tcp_udp_port_names");
 	
 	try {      // for error handling
 		{
@@ -5340,7 +5317,7 @@ void PIXCfgParser::tcp_udp_port_names() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_32);
+			recover(ex,_tokenSet_33);
 		} else {
 			throw;
 		}
@@ -5348,7 +5325,6 @@ void PIXCfgParser::tcp_udp_port_names() {
 }
 
 void PIXCfgParser::interface_command_6() {
-	Tracer traceInOut(this, "interface_command_6");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  in = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -5356,14 +5332,14 @@ void PIXCfgParser::interface_command_6() {
 		match(WORD);
 		pix6_interface_hw_speed();
 		if ( inputState->guessing==0 ) {
-#line 1353 "pix.g"
+#line 1365 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->newInterface( in->getText() );
 			*dbg << in->getLine() << ":"
 			<< " INTRFACE: " << in->getText() << std::endl;
 			
-#line 5367 "PIXCfgParser.cpp"
+#line 5343 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -5377,43 +5353,42 @@ void PIXCfgParser::interface_command_6() {
 }
 
 void PIXCfgParser::interface_command_7() {
-	Tracer traceInOut(this, "interface_command_7");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  in = ANTLR_USE_NAMESPACE(antlr)nullToken;
-#line 1361 "pix.g"
+#line 1373 "pix.g"
 	bool have_interface_parameters = false;
-#line 5385 "PIXCfgParser.cpp"
+#line 5360 "PIXCfgParser.cpp"
 	
 	try {      // for error handling
 		in = LT(1);
 		match(WORD);
 		match(NEWLINE);
 		if ( inputState->guessing==0 ) {
-#line 1362 "pix.g"
+#line 1374 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			importer->newInterface( in->getText() );
 			*dbg << in->getLine() << ":"
 			<< " INTRFACE: " << in->getText() << std::endl;
 			
-#line 5399 "PIXCfgParser.cpp"
+#line 5374 "PIXCfgParser.cpp"
 		}
 		{
 		{ // ( ... )*
 		for (;;) {
-			if ((_tokenSet_33.member(LA(1)))) {
+			if ((_tokenSet_34.member(LA(1)))) {
 				interface_parameters();
 				if ( inputState->guessing==0 ) {
-#line 1369 "pix.g"
+#line 1381 "pix.g"
 					have_interface_parameters = true;
-#line 5409 "PIXCfgParser.cpp"
+#line 5384 "PIXCfgParser.cpp"
 				}
 			}
 			else {
-				goto _loop189;
+				goto _loop190;
 			}
 			
 		}
-		_loop189:;
+		_loop190:;
 		} // ( ... )*
 		{
 		switch ( LA(1)) {
@@ -5434,7 +5409,7 @@ void PIXCfgParser::interface_command_7() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1371 "pix.g"
+#line 1383 "pix.g"
 			
 			if ( ! have_interface_parameters )
 			{
@@ -5443,7 +5418,7 @@ void PIXCfgParser::interface_command_7() {
 			<< " EMPTY INTERFACE " << std::endl;
 			}
 			
-#line 5447 "PIXCfgParser.cpp"
+#line 5422 "PIXCfgParser.cpp"
 		}
 		}
 	}
@@ -5458,7 +5433,6 @@ void PIXCfgParser::interface_command_7() {
 }
 
 void PIXCfgParser::pix6_interface_hw_speed() {
-	Tracer traceInOut(this, "pix6_interface_hw_speed");
 	
 	try {      // for error handling
 		{
@@ -5531,15 +5505,14 @@ void PIXCfgParser::pix6_interface_hw_speed() {
 }
 
 void PIXCfgParser::interface_parameters() {
-	Tracer traceInOut(this, "interface_parameters");
 	
 	try {      // for error handling
 		if ( inputState->guessing==0 ) {
-#line 1406 "pix.g"
+#line 1418 "pix.g"
 			
 			importer->setCurrentLineNumber(LT(0)->getLine());
 			
-#line 5543 "PIXCfgParser.cpp"
+#line 5516 "PIXCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -5612,7 +5585,7 @@ void PIXCfgParser::interface_parameters() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_34);
+			recover(ex,_tokenSet_35);
 		} else {
 			throw;
 		}
@@ -5620,7 +5593,6 @@ void PIXCfgParser::interface_parameters() {
 }
 
 void PIXCfgParser::intf_address() {
-	Tracer traceInOut(this, "intf_address");
 	
 	try {      // for error handling
 		match(IP);
@@ -5656,7 +5628,6 @@ void PIXCfgParser::intf_address() {
 }
 
 void PIXCfgParser::vlan_interface() {
-	Tracer traceInOut(this, "vlan_interface");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  vlan_id = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -5664,12 +5635,12 @@ void PIXCfgParser::vlan_interface() {
 		vlan_id = LT(1);
 		match(INT_CONST);
 		if ( inputState->guessing==0 ) {
-#line 1432 "pix.g"
+#line 1444 "pix.g"
 			
 			importer->setInterfaceVlanId(vlan_id->getText());
 			*dbg << " VLAN: " << vlan_id->getText() << std::endl;
 			
-#line 5673 "PIXCfgParser.cpp"
+#line 5644 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -5683,7 +5654,6 @@ void PIXCfgParser::vlan_interface() {
 }
 
 void PIXCfgParser::sec_level() {
-	Tracer traceInOut(this, "sec_level");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  sec_level = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -5691,12 +5661,12 @@ void PIXCfgParser::sec_level() {
 		sec_level = LT(1);
 		match(INT_CONST);
 		if ( inputState->guessing==0 ) {
-#line 1484 "pix.g"
+#line 1496 "pix.g"
 			
 			importer->setInterfaceSecurityLevel(sec_level->getText());
 			*dbg << "SEC_LEVEL: " << sec_level->getText() << std::endl;
 			
-#line 5700 "PIXCfgParser.cpp"
+#line 5670 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -5710,17 +5680,47 @@ void PIXCfgParser::sec_level() {
 }
 
 void PIXCfgParser::nameif() {
-	Tracer traceInOut(this, "nameif");
 	
 	try {      // for error handling
 		match(NAMEIF);
 		interface_label();
 		if ( inputState->guessing==0 ) {
-#line 1503 "pix.g"
+#line 1515 "pix.g"
 			
 			importer->setInterfaceParametes(LT(0)->getText(), "", "");
 			*dbg << " NAMEIF: " << LT(0)->getText() << std::endl;
 			
+#line 5694 "PIXCfgParser.cpp"
+		}
+	}
+	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
+		if( inputState->guessing == 0 ) {
+			reportError(ex);
+			recover(ex,_tokenSet_9);
+		} else {
+			throw;
+		}
+	}
+}
+
+void PIXCfgParser::interface_description() {
+	
+	try {      // for error handling
+		match(DESCRIPTION);
+		if ( inputState->guessing==0 ) {
+#line 1524 "pix.g"
+			
+			*dbg << LT(1)->getLine() << ":";
+			std::string descr;
+			while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE)
+			{
+			descr += LT(1)->getText() + " ";
+			consume();
+			}
+			importer->setInterfaceComment( descr );
+			*dbg << " DESCRIPTION " << descr << std::endl;
+			//consumeUntil(NEWLINE);
+			
 #line 5725 "PIXCfgParser.cpp"
 		}
 	}
@@ -5734,40 +5734,7 @@ void PIXCfgParser::nameif() {
 	}
 }
 
-void PIXCfgParser::interface_description() {
-	Tracer traceInOut(this, "interface_description");
-	
-	try {      // for error handling
-		match(DESCRIPTION);
-		if ( inputState->guessing==0 ) {
-#line 1512 "pix.g"
-			
-			*dbg << LT(1)->getLine() << ":";
-			std::string descr;
-			while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE)
-			{
-			descr += LT(1)->getText() + " ";
-			consume();
-			}
-			importer->setInterfaceComment( descr );
-			*dbg << " DESCRIPTION " << descr << std::endl;
-			//consumeUntil(NEWLINE);
-			
-#line 5757 "PIXCfgParser.cpp"
-		}
-	}
-	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
-		if( inputState->guessing == 0 ) {
-			reportError(ex);
-			recover(ex,_tokenSet_9);
-		} else {
-			throw;
-		}
-	}
-}
-
 void PIXCfgParser::switchport() {
-	Tracer traceInOut(this, "switchport");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  vlan_num = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
@@ -5777,12 +5744,12 @@ void PIXCfgParser::switchport() {
 		vlan_num = LT(1);
 		match(INT_CONST);
 		if ( inputState->guessing==0 ) {
-#line 1624 "pix.g"
+#line 1636 "pix.g"
 			
 			importer->addMessageToLog("Switch port vlan " + vlan_num->getText());
 			*dbg << "Switch port vlan " <<  vlan_num->getText() << std::endl;
 			
-#line 5786 "PIXCfgParser.cpp"
+#line 5753 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -5796,18 +5763,17 @@ void PIXCfgParser::switchport() {
 }
 
 void PIXCfgParser::shutdown() {
-	Tracer traceInOut(this, "shutdown");
 	
 	try {      // for error handling
 		match(SHUTDOWN);
 		if ( inputState->guessing==0 ) {
-#line 1527 "pix.g"
+#line 1539 "pix.g"
 			
 			importer->ignoreCurrentInterface();
 			*dbg<< LT(1)->getLine() << ":"
 			<< " INTERFACE SHUTDOWN " << std::endl;
 			
-#line 5811 "PIXCfgParser.cpp"
+#line 5777 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -5821,7 +5787,6 @@ void PIXCfgParser::shutdown() {
 }
 
 void PIXCfgParser::interface_no_commands() {
-	Tracer traceInOut(this, "interface_no_commands");
 	
 	try {      // for error handling
 		match(NO);
@@ -5854,13 +5819,13 @@ void PIXCfgParser::interface_no_commands() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1476 "pix.g"
+#line 1488 "pix.g"
 			
 			*dbg << " INTERFACE \"NO\" COMMAND: "
 			<< LT(0)->getText() << std::endl;
 			consumeUntil(NEWLINE);
 			
-#line 5864 "PIXCfgParser.cpp"
+#line 5829 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -5874,7 +5839,6 @@ void PIXCfgParser::interface_no_commands() {
 }
 
 void PIXCfgParser::unsupported_interface_commands() {
-	Tracer traceInOut(this, "unsupported_interface_commands");
 	
 	try {      // for error handling
 		{
@@ -5956,13 +5920,13 @@ void PIXCfgParser::unsupported_interface_commands() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1468 "pix.g"
+#line 1480 "pix.g"
 			
 			*dbg << " UNSUPPORTED INTERFACE COMMAND: "
 			<< LT(0)->getText() << std::endl;
 			consumeUntil(NEWLINE);
 			
-#line 5966 "PIXCfgParser.cpp"
+#line 5930 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -5976,7 +5940,6 @@ void PIXCfgParser::unsupported_interface_commands() {
 }
 
 void PIXCfgParser::v6_ip_address() {
-	Tracer traceInOut(this, "v6_ip_address");
 	
 	try {      // for error handling
 		if ((LA(1) == WORD) && (LA(2) == DHCP)) {
@@ -6001,7 +5964,6 @@ void PIXCfgParser::v6_ip_address() {
 }
 
 void PIXCfgParser::v7_ip_address() {
-	Tracer traceInOut(this, "v7_ip_address");
 	
 	try {      // for error handling
 		switch ( LA(1)) {
@@ -6032,7 +5994,6 @@ void PIXCfgParser::v7_ip_address() {
 }
 
 void PIXCfgParser::v6_dhcp_address() {
-	Tracer traceInOut(this, "v6_dhcp_address");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  lbl = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  dhcp = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -6042,7 +6003,7 @@ void PIXCfgParser::v6_dhcp_address() {
 		dhcp = LT(1);
 		match(DHCP);
 		if ( inputState->guessing==0 ) {
-#line 1562 "pix.g"
+#line 1574 "pix.g"
 			
 			std::string label = lbl->getText();
 			std::string addr = dhcp->getText();
@@ -6053,7 +6014,7 @@ void PIXCfgParser::v6_dhcp_address() {
 			// which we do not support
 			consumeUntil(NEWLINE);
 			
-#line 6057 "PIXCfgParser.cpp"
+#line 6018 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -6067,7 +6028,6 @@ void PIXCfgParser::v6_dhcp_address() {
 }
 
 void PIXCfgParser::v6_static_address() {
-	Tracer traceInOut(this, "v6_static_address");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  lbl = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  a = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  m = ANTLR_USE_NAMESPACE(antlr)nullToken;
@@ -6080,7 +6040,7 @@ void PIXCfgParser::v6_static_address() {
 		m = LT(1);
 		match(IPV4);
 		if ( inputState->guessing==0 ) {
-#line 1575 "pix.g"
+#line 1587 "pix.g"
 			
 			std::string label = lbl->getText();
 			std::string addr = a->getText();
@@ -6091,7 +6051,7 @@ void PIXCfgParser::v6_static_address() {
 			// in case there are some other parameters after address and netmask
 			consumeUntil(NEWLINE);
 			
-#line 6095 "PIXCfgParser.cpp"
+#line 6055 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -6105,14 +6065,13 @@ void PIXCfgParser::v6_static_address() {
 }
 
 void PIXCfgParser::v7_dhcp_address() {
-	Tracer traceInOut(this, "v7_dhcp_address");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  dhcp = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
 		dhcp = LT(1);
 		match(DHCP);
 		if ( inputState->guessing==0 ) {
-#line 1592 "pix.g"
+#line 1604 "pix.g"
 			
 			std::string addr = dhcp->getText();
 			importer->addInterfaceAddress(addr, "");
@@ -6120,7 +6079,7 @@ void PIXCfgParser::v7_dhcp_address() {
 			<< " INTRFACE ADDRESS: " << addr << std::endl;
 			consumeUntil(NEWLINE);
 			
-#line 6124 "PIXCfgParser.cpp"
+#line 6083 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -6134,7 +6093,6 @@ void PIXCfgParser::v7_dhcp_address() {
 }
 
 void PIXCfgParser::v7_static_address() {
-	Tracer traceInOut(this, "v7_static_address");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  a = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  m = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  s = ANTLR_USE_NAMESPACE(antlr)nullToken;
@@ -6163,7 +6121,7 @@ void PIXCfgParser::v7_static_address() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1603 "pix.g"
+#line 1615 "pix.g"
 			
 			std::string addr = a->getText();
 			std::string netm = m->getText();
@@ -6180,7 +6138,7 @@ void PIXCfgParser::v7_static_address() {
 			}
 			consumeUntil(NEWLINE);
 			
-#line 6184 "PIXCfgParser.cpp"
+#line 6142 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -6194,7 +6152,6 @@ void PIXCfgParser::v7_static_address() {
 }
 
 void PIXCfgParser::icmp_types_for_icmp_command() {
-	Tracer traceInOut(this, "icmp_types_for_icmp_command");
 	
 	try {      // for error handling
 		switch ( LA(1)) {
@@ -6202,13 +6159,13 @@ void PIXCfgParser::icmp_types_for_icmp_command() {
 		{
 			match(INT_CONST);
 			if ( inputState->guessing==0 ) {
-#line 1743 "pix.g"
+#line 1761 "pix.g"
 				
 				importer->icmp_type = LT(0)->getText();
 				importer->icmp_code = "0";
 				importer->icmp_spec = "";
 				
-#line 6212 "PIXCfgParser.cpp"
+#line 6169 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -6246,13 +6203,13 @@ void PIXCfgParser::icmp_types_for_icmp_command() {
 			}
 			}
 			if ( inputState->guessing==0 ) {
-#line 1750 "pix.g"
+#line 1768 "pix.g"
 				
 				importer->icmp_type = "";
 				importer->icmp_code = "0";
 				importer->icmp_spec = LT(0)->getText();
 				
-#line 6256 "PIXCfgParser.cpp"
+#line 6213 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -6262,57 +6219,6 @@ void PIXCfgParser::icmp_types_for_icmp_command() {
 		}
 		}
 	}
-	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
-		if( inputState->guessing == 0 ) {
-			reportError(ex);
-			recover(ex,_tokenSet_35);
-		} else {
-			throw;
-		}
-	}
-}
-
-void PIXCfgParser::nat_addr_match() {
-	Tracer traceInOut(this, "nat_addr_match");
-	ANTLR_USE_NAMESPACE(antlr)RefToken  acl_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
-	
-	try {      // for error handling
-		{
-		switch ( LA(1)) {
-		case HOST:
-		{
-			host_addr();
-			if ( inputState->guessing==0 ) {
-#line 1842 "pix.g"
-				
-				importer->nat_a = importer->tmp_a;
-				importer->nat_nm = importer->tmp_nm;
-				
-#line 6292 "PIXCfgParser.cpp"
-			}
-			break;
-		}
-		case ACCESS_LIST:
-		{
-			match(ACCESS_LIST);
-			acl_name = LT(1);
-			match(WORD);
-			if ( inputState->guessing==0 ) {
-#line 1848 "pix.g"
-				
-				importer->nat_acl = acl_name->getText();
-				
-#line 6306 "PIXCfgParser.cpp"
-			}
-			break;
-		}
-		default:
-		{
-			throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
-		}
-		}
-		}
-	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
@@ -6323,8 +6229,57 @@ void PIXCfgParser::nat_addr_match() {
 	}
 }
 
+void PIXCfgParser::nat_addr_match() {
+	ANTLR_USE_NAMESPACE(antlr)RefToken  acl_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
+	
+	try {      // for error handling
+		{
+		switch ( LA(1)) {
+		case HOST:
+		{
+			host_addr();
+			if ( inputState->guessing==0 ) {
+#line 1860 "pix.g"
+				
+				importer->nat_a = importer->tmp_a;
+				importer->nat_nm = importer->tmp_nm;
+				
+#line 6248 "PIXCfgParser.cpp"
+			}
+			break;
+		}
+		case ACCESS_LIST:
+		{
+			match(ACCESS_LIST);
+			acl_name = LT(1);
+			match(WORD);
+			if ( inputState->guessing==0 ) {
+#line 1866 "pix.g"
+				
+				importer->nat_acl = acl_name->getText();
+				
+#line 6262 "PIXCfgParser.cpp"
+			}
+			break;
+		}
+		default:
+		{
+			throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
+		}
+		}
+		}
+	}
+	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
+		if( inputState->guessing == 0 ) {
+			reportError(ex);
+			recover(ex,_tokenSet_37);
+		} else {
+			throw;
+		}
+	}
+}
+
 void PIXCfgParser::nat_command_last_parameters() {
-	Tracer traceInOut(this, "nat_command_last_parameters");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
@@ -6411,13 +6366,13 @@ void PIXCfgParser::nat_command_last_parameters() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1865 "pix.g"
+#line 1883 "pix.g"
 			
 			importer->static_max_conn = max_conn->getText();
 			if (max_emb_conn)
 			importer->static_max_emb_conn = max_emb_conn->getText();
 			
-#line 6421 "PIXCfgParser.cpp"
+#line 6376 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -6431,16 +6386,15 @@ void PIXCfgParser::nat_command_last_parameters() {
 }
 
 void PIXCfgParser::nat_new_top_level_command() {
-	Tracer traceInOut(this, "nat_new_top_level_command");
 	
 	try {      // for error handling
 		match(NAT);
 		if ( inputState->guessing==0 ) {
-#line 1873 "pix.g"
+#line 1891 "pix.g"
 			
 			consumeUntil(NEWLINE);
 			
-#line 6444 "PIXCfgParser.cpp"
+#line 6398 "PIXCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -6454,12 +6408,22 @@ void PIXCfgParser::nat_new_top_level_command() {
 }
 
 void PIXCfgParser::static_starts_with_hostaddr() {
-	Tracer traceInOut(this, "static_starts_with_hostaddr");
 	
 	try {      // for error handling
 		static_mapped_addr_match();
 		static_real_addr_match();
-		static_command_common_last_parameters();
+		{ // ( ... )*
+		for (;;) {
+			if ((_tokenSet_38.member(LA(1)))) {
+				static_command_common_last_parameters();
+			}
+			else {
+				goto _loop253;
+			}
+			
+		}
+		_loop253:;
+		} // ( ... )*
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
@@ -6472,7 +6436,6 @@ void PIXCfgParser::static_starts_with_hostaddr() {
 }
 
 void PIXCfgParser::static_starts_with_tcp_udp() {
-	Tracer traceInOut(this, "static_starts_with_tcp_udp");
 	
 	try {      // for error handling
 		{
@@ -6494,34 +6457,45 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
 		}
 		}
 		if ( inputState->guessing==0 ) {
-#line 1967 "pix.g"
+#line 1991 "pix.g"
 			
 			importer->protocol = LT(0)->getText();
-			*dbg << " SERVICE TCP/UDP" << LT(0)->getText() << " ";
+			*dbg << " SERVICE TCP/UDP " << LT(0)->getText() << " ";
 			
-#line 6503 "PIXCfgParser.cpp"
+#line 6466 "PIXCfgParser.cpp"
 		}
 		static_mapped_addr_match();
 		tcp_udp_port_spec();
 		if ( inputState->guessing==0 ) {
-#line 1981 "pix.g"
+#line 2005 "pix.g"
 			
 			importer->mapped_port_spec = importer->tmp_port_spec_2;
-			*dbg << "mapped port " << importer->mapped_port_spec;
+			*dbg << "mapped port " << importer->mapped_port_spec << " ";
 			
-#line 6513 "PIXCfgParser.cpp"
+#line 6476 "PIXCfgParser.cpp"
 		}
 		static_real_addr_match();
 		tcp_udp_port_spec();
 		if ( inputState->guessing==0 ) {
-#line 1996 "pix.g"
+#line 2020 "pix.g"
 			
 			importer->real_port_spec = importer->tmp_port_spec_2;
-			*dbg << "real port " << importer->real_port_spec;
+			*dbg << "real port " << importer->real_port_spec << " ";
 			
-#line 6523 "PIXCfgParser.cpp"
+#line 6486 "PIXCfgParser.cpp"
 		}
-		static_command_common_last_parameters();
+		{ // ( ... )*
+		for (;;) {
+			if ((_tokenSet_38.member(LA(1)))) {
+				static_command_common_last_parameters();
+			}
+			else {
+				goto _loop261;
+			}
+			
+		}
+		_loop261:;
+		} // ( ... )*
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
@@ -6534,21 +6508,21 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
 }
 
 void PIXCfgParser::static_mapped_addr_match() {
-	Tracer traceInOut(this, "static_mapped_addr_match");
 	
 	try {      // for error handling
 		{
 		switch ( LA(1)) {
-		case HOST:
+		case IPV4:
+		case IPV6:
 		{
-			host_addr();
+			single_addr();
 			if ( inputState->guessing==0 ) {
-#line 1938 "pix.g"
+#line 1962 "pix.g"
 				
 				importer->mapped_a = importer->tmp_a;
 				importer->mapped_nm = importer->tmp_nm;
 				
-#line 6552 "PIXCfgParser.cpp"
+#line 6526 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -6556,12 +6530,12 @@ void PIXCfgParser::static_mapped_addr_match() {
 		{
 			match(INTRFACE);
 			if ( inputState->guessing==0 ) {
-#line 1944 "pix.g"
+#line 1968 "pix.g"
 				
 				importer->mapped_a = "interface";
 				importer->mapped_nm = "";
 				
-#line 6565 "PIXCfgParser.cpp"
+#line 6539 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -6575,7 +6549,7 @@ void PIXCfgParser::static_mapped_addr_match() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_37);
+			recover(ex,_tokenSet_39);
 		} else {
 			throw;
 		}
@@ -6583,22 +6557,22 @@ void PIXCfgParser::static_mapped_addr_match() {
 }
 
 void PIXCfgParser::static_real_addr_match() {
-	Tracer traceInOut(this, "static_real_addr_match");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  acl_name = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
 		{
 		switch ( LA(1)) {
-		case HOST:
+		case IPV4:
+		case IPV6:
 		{
-			host_addr();
+			single_addr();
 			if ( inputState->guessing==0 ) {
-#line 1954 "pix.g"
+#line 1978 "pix.g"
 				
 				importer->real_a = importer->tmp_a;
 				importer->real_nm = importer->tmp_nm;
 				
-#line 6602 "PIXCfgParser.cpp"
+#line 6576 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -6608,11 +6582,11 @@ void PIXCfgParser::static_real_addr_match() {
 			acl_name = LT(1);
 			match(WORD);
 			if ( inputState->guessing==0 ) {
-#line 1960 "pix.g"
+#line 1984 "pix.g"
 				
 				importer->real_addr_acl = acl_name->getText();
 				
-#line 6616 "PIXCfgParser.cpp"
+#line 6590 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -6626,7 +6600,7 @@ void PIXCfgParser::static_real_addr_match() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_38);
+			recover(ex,_tokenSet_40);
 		} else {
 			throw;
 		}
@@ -6634,27 +6608,53 @@ void PIXCfgParser::static_real_addr_match() {
 }
 
 void PIXCfgParser::static_command_common_last_parameters() {
-	Tracer traceInOut(this, "static_command_common_last_parameters");
 	ANTLR_USE_NAMESPACE(antlr)RefToken  nm = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	ANTLR_USE_NAMESPACE(antlr)RefToken  max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
 	
 	try {      // for error handling
 		switch ( LA(1)) {
+		case DNS:
+		{
+			match(DNS);
+			if ( inputState->guessing==0 ) {
+#line 2038 "pix.g"
+				
+				importer->addMessageToLog(
+				"Warning: 'static' command option 'dns' is not supported");
+				
+#line 6627 "PIXCfgParser.cpp"
+			}
+			break;
+		}
+		case NORANDOMSEQ:
+		{
+			match(NORANDOMSEQ);
+			if ( inputState->guessing==0 ) {
+#line 2044 "pix.g"
+				
+				importer->addMessageToLog(
+				"Warning: 'static' command option 'norandomseq' is not supported");
+				
+#line 6640 "PIXCfgParser.cpp"
+			}
+			break;
+		}
 		case NETMASK:
 		{
 			match(NETMASK);
 			nm = LT(1);
-			match(IPv4);
+			match(IPV4);
 			if ( inputState->guessing==0 ) {
-#line 2012 "pix.g"
+#line 2050 "pix.g"
 				
 				importer->mapped_nm = nm->getText();
 				
-#line 6655 "PIXCfgParser.cpp"
+#line 6654 "PIXCfgParser.cpp"
 			}
 			break;
 		}
+		case INT_CONST:
 		case TCP:
 		case UDP:
 		{
@@ -6670,52 +6670,38 @@ void PIXCfgParser::static_command_common_last_parameters() {
 				match(UDP);
 				break;
 			}
+			case INT_CONST:
+			{
+				break;
+			}
 			default:
 			{
 				throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
 			}
 			}
 			}
-			if ( inputState->guessing==0 ) {
-#line 2017 "pix.g"
-				
-				// <0-65535>  The maximum number of simultaneous tcp connections
-				
-				
-#line 6686 "PIXCfgParser.cpp"
-			}
-			break;
-		}
-		case INT_CONST:
-		{
 			max_conn = LT(1);
 			match(INT_CONST);
 			{
-			switch ( LA(1)) {
-			case INT_CONST:
-			{
+			if ((LA(1) == INT_CONST) && (_tokenSet_41.member(LA(2)))) {
 				max_emb_conn = LT(1);
 				match(INT_CONST);
-				break;
 			}
-			case NEWLINE:
-			{
-				break;
+			else if ((_tokenSet_41.member(LA(1))) && (_tokenSet_42.member(LA(2)))) {
 			}
-			default:
-			{
+			else {
 				throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
 			}
-			}
+			
 			}
 			if ( inputState->guessing==0 ) {
-#line 2023 "pix.g"
+#line 2056 "pix.g"
 				
 				importer->static_max_conn = max_conn->getText();
 				if (max_emb_conn)
 				importer->static_max_emb_conn = max_emb_conn->getText();
 				
-#line 6719 "PIXCfgParser.cpp"
+#line 6705 "PIXCfgParser.cpp"
 			}
 			break;
 		}
@@ -6728,7 +6714,7 @@ void PIXCfgParser::static_command_common_last_parameters() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_9);
+			recover(ex,_tokenSet_41);
 		} else {
 			throw;
 		}
@@ -6794,6 +6780,7 @@ const char* PIXCfgParser::tokenNames[] = {
 	"\"service-object\"",
 	"\"port-object\"",
 	"\"crypto\"",
+	"\"dns\"",
 	"\"no\"",
 	"\"certificate\"",
 	"\"PIX\"",
@@ -6880,16 +6867,16 @@ const char* PIXCfgParser::tokenNames[] = {
 	"\"standby\"",
 	"\"switchport\"",
 	"\"access\"",
+	"\"scopy\"",
 	"\"remark\"",
 	"\"access-group\"",
 	"COLON_COMMENT",
 	"CLOSING_PAREN",
-	"DNS",
 	"\"global\"",
 	"\"static\"",
 	"COMMA",
-	"NETMASK",
-	"IPv4",
+	"\"norandomseq\"",
+	"\"netmask\"",
 	"\"secondary\"",
 	"\"setroute\"",
 	"Whitespace",
@@ -6929,21 +6916,21 @@ const char* PIXCfgParser::tokenNames[] = {
 const unsigned long PIXCfgParser::_tokenSet_0_data_[] = { 2UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_0(_tokenSet_0_data_,6);
-const unsigned long PIXCfgParser::_tokenSet_1_data_[] = { 1342187378UL, 2814382112UL, 2147486720UL, 67960832UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_1_data_[] = { 1342187378UL, 1337987104UL, 6145UL, 135921665UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "icmp" 
-// OBJECT_GROUP "crypto" "no" "certificate" "PIX" "ASA" "hostname" "access-list" 
-// "ssh" "telnet" "interface" "controller" LINE_COMMENT "exit" "nameif" 
-// "access-group" COLON_COMMENT "global" "static" 
+// OBJECT_GROUP "crypto" "dns" "no" "certificate" "PIX" "ASA" "hostname" 
+// "access-list" "ssh" "telnet" "interface" "controller" LINE_COMMENT "exit" 
+// "nameif" "access-group" COLON_COMMENT "global" "static" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_1(_tokenSet_1_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_2_data_[] = { 0UL, 64UL, 0UL, 7340032UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_2_data_[] = { 0UL, 64UL, 0UL, 14680064UL, 0UL, 0UL, 0UL, 0UL };
 // INT_CONST "aui" "auto" "bnc" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_2(_tokenSet_2_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_3_data_[] = { 536854592UL, 5024UL, 2UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_3_data_[] = { 536854592UL, 5024UL, 4UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // "ip" "ah" "eigrp" "esp" "gre" "igmp" "igrp" "ipinip" "ipsec" "nos" "ospf" 
 // "pcp" "pim" "pptp" "snp" OBJECT "icmp" "icmp6" "tcp" "udp" OBJECT_GROUP 
 // "permit" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_3(_tokenSet_3_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_4_data_[] = { 536854592UL, 5024UL, 4UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_4_data_[] = { 536854592UL, 5024UL, 8UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // "ip" "ah" "eigrp" "esp" "gre" "igmp" "igrp" "ipinip" "ipsec" "nos" "ospf" 
 // "pcp" "pim" "pptp" "snp" OBJECT "icmp" "icmp6" "tcp" "udp" OBJECT_GROUP 
 // "deny" 
@@ -6951,82 +6938,88 @@ const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_4(_tokenSet_4_dat
 const unsigned long PIXCfgParser::_tokenSet_5_data_[] = { 0UL, 3153921UL, 0UL, 0UL, 0UL, 0UL };
 // "description" "group-object" "service-object" "port-object" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_5(_tokenSet_5_data_,6);
-const unsigned long PIXCfgParser::_tokenSet_6_data_[] = { 268437520UL, 4098UL, 2147483648UL, 1UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_6_data_[] = { 268437520UL, 4098UL, 0UL, 3UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE IPV4 OBJECT "host" OBJECT_GROUP "interface" "any" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_6(_tokenSet_6_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_7_data_[] = { 1342187378UL, 2814382127UL, 2147486720UL, 67960832UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_7_data_[] = { 1342187378UL, 1337987119UL, 6145UL, 135921665UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
-// "host" "range" "subnet" "icmp" OBJECT_GROUP "crypto" "no" "certificate" 
+// "host" "range" "subnet" "icmp" OBJECT_GROUP "crypto" "dns" "no" "certificate" 
 // "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" "interface" "controller" 
 // LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT "global" "static" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_7(_tokenSet_7_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_8_data_[] = { 67117072UL, 2684355394UL, 3840UL, 131072UL, 2228224UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// NEWLINE WORD "pptp" "host" INT_CONST "tcp" "udp" "hostname" "access-list" 
-// "echo" "rip" "ssh" "telnet" "outside" DNS NETMASK 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_8(_tokenSet_8_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_8_data_[] = { 16UL, 8389440UL, 0UL, 262144UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE INT_CONST "tcp" "udp" "dns" "outside" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_8(_tokenSet_8_data_,8);
 const unsigned long PIXCfgParser::_tokenSet_9_data_[] = { 16UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_9(_tokenSet_9_data_,6);
-const unsigned long PIXCfgParser::_tokenSet_10_data_[] = { 1342189426UL, 2814382191UL, 4294966768UL, 68141063UL, 901120UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_10_data_[] = { 1342189426UL, 1337987183UL, 4294966241UL, 136282127UL, 4128768UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" IPV4 WORD OBJECT "nat" 
 // "description" "host" "range" "subnet" "icmp" INT_CONST OBJECT_GROUP 
-// "crypto" "no" "certificate" "PIX" "ASA" "hostname" "access-list" "eq" 
-// "gt" "lt" "neq" "echo" "ssh" "telnet" "established" "alternate-address" 
+// "crypto" "dns" "no" "certificate" "PIX" "ASA" "hostname" "access-list" 
+// "eq" "gt" "lt" "neq" "echo" "ssh" "telnet" "established" "alternate-address" 
 // "conversion-error" "echo-reply" "information-reply" "information-request" 
 // "mask-reply" "mask-request" "mobile-redirect" "parameter-problem" "redirect" 
 // "router-advertisement" "router-solicitation" "source-quench" "time-exceeded" 
 // "timestamp-reply" "timestamp-request" "traceroute" "unreachable" "interface" 
 // "any" "log" "log-input" "fragments" "time-range" "controller" "outside" 
 // LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT CLOSING_PAREN 
-// "global" "static" 
+// "global" "static" COMMA 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_10(_tokenSet_10_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_11_data_[] = { 268419136UL, 64UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_11_data_[] = { 67123216UL, 1082131264UL, 7681UL, 262144UL, 12582912UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE IPV4 IPV6 WORD "pptp" INT_CONST "tcp" "udp" "dns" "hostname" 
+// "access-list" "echo" "rip" "ssh" "telnet" "outside" "norandomseq" "netmask" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_11(_tokenSet_11_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_12_data_[] = { 268419136UL, 64UL, 0UL, 0UL, 0UL, 0UL };
 // "ip" "ah" "eigrp" "esp" "gre" "igmp" "igrp" "ipinip" "ipsec" "nos" "ospf" 
 // "pcp" "pim" "pptp" "snp" INT_CONST 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_11(_tokenSet_11_data_,6);
-const unsigned long PIXCfgParser::_tokenSet_12_data_[] = { 1342187378UL, 2814382129UL, 2147486720UL, 67960832UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_12(_tokenSet_12_data_,6);
+const unsigned long PIXCfgParser::_tokenSet_13_data_[] = { 1342187378UL, 1337987121UL, 6145UL, 135921665UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
-// "service" "icmp" OBJECT_GROUP "crypto" "no" "certificate" "PIX" "ASA" 
-// "hostname" "access-list" "ssh" "telnet" "interface" "controller" LINE_COMMENT 
-// "exit" "nameif" "access-group" COLON_COMMENT "global" "static" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_12(_tokenSet_12_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_13_data_[] = { 16UL, 0UL, 0UL, 49158UL, 0UL, 0UL, 0UL, 0UL };
+// "service" "icmp" OBJECT_GROUP "crypto" "dns" "no" "certificate" "PIX" 
+// "ASA" "hostname" "access-list" "ssh" "telnet" "interface" "controller" 
+// LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT "global" "static" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_13(_tokenSet_13_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_14_data_[] = { 16UL, 0UL, 0UL, 98316UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE "log" "log-input" "fragments" "time-range" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_13(_tokenSet_13_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_14_data_[] = { 16UL, 2052UL, 240UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// NEWLINE "range" "destination" "eq" "gt" "lt" "neq" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_14(_tokenSet_14_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_15_data_[] = { 268437520UL, 6150UL, 2147487984UL, 49159UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_15_data_[] = { 16UL, 2052UL, 480UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE "range" "destination" "eq" "gt" "lt" "neq" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_15(_tokenSet_15_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_16_data_[] = { 268437520UL, 6150UL, 8672UL, 98319UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE IPV4 OBJECT "host" "range" "destination" OBJECT_GROUP "eq" "gt" 
 // "lt" "neq" "established" "interface" "any" "log" "log-input" "fragments" 
 // "time-range" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_15(_tokenSet_15_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_16_data_[] = { 1342187378UL, 2814406689UL, 2147486720UL, 67960832UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_16(_tokenSet_16_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_17_data_[] = { 1342187378UL, 1338011681UL, 6145UL, 135921665UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
-// "icmp" OBJECT_GROUP "group-object" "network-object" "crypto" "no" "certificate" 
-// "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" "interface" "controller" 
-// LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT "global" "static" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_16(_tokenSet_16_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_17_data_[] = { 1342187378UL, 2814455841UL, 2147486720UL, 67960832UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
-// "icmp" OBJECT_GROUP "group-object" "protocol-object" "crypto" "no" "certificate" 
-// "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" "interface" "controller" 
-// LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT "global" "static" 
+// "icmp" OBJECT_GROUP "group-object" "network-object" "crypto" "dns" "no" 
+// "certificate" "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" "interface" 
+// "controller" LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT 
+// "global" "static" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_17(_tokenSet_17_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_18_data_[] = { 1342187378UL, 2814521377UL, 2147486720UL, 67960832UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_18_data_[] = { 1342187378UL, 1338060833UL, 6145UL, 135921665UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
-// "icmp" OBJECT_GROUP "group-object" "icmp-object" "crypto" "no" "certificate" 
-// "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" "interface" "controller" 
-// LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT "global" "static" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_18(_tokenSet_18_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_19_data_[] = { 1342187378UL, 2817536033UL, 2147486720UL, 67960832UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
-// "icmp" OBJECT_GROUP "group-object" "service-object" "port-object" "crypto" 
+// "icmp" OBJECT_GROUP "group-object" "protocol-object" "crypto" "dns" 
 // "no" "certificate" "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" 
 // "interface" "controller" LINE_COMMENT "exit" "nameif" "access-group" 
 // COLON_COMMENT "global" "static" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_18(_tokenSet_18_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_19_data_[] = { 1342187378UL, 1338126369UL, 6145UL, 135921665UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
+// "icmp" OBJECT_GROUP "group-object" "icmp-object" "crypto" "dns" "no" 
+// "certificate" "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" "interface" 
+// "controller" LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT 
+// "global" "static" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_19(_tokenSet_19_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_20_data_[] = { 268445712UL, 4166UL, 4294963696UL, 180231UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_20_data_[] = { 1342187378UL, 1341141025UL, 6145UL, 135921665UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD OBJECT "nat" "description" 
+// "icmp" OBJECT_GROUP "group-object" "service-object" "port-object" "crypto" 
+// "dns" "no" "certificate" "PIX" "ASA" "hostname" "access-list" "ssh" 
+// "telnet" "interface" "controller" LINE_COMMENT "exit" "nameif" "access-group" 
+// COLON_COMMENT "global" "static" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_20(_tokenSet_20_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_21_data_[] = { 268445712UL, 4166UL, 4294960096UL, 360463UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE IPV4 WORD OBJECT "host" "range" INT_CONST OBJECT_GROUP "eq" 
 // "gt" "lt" "neq" "echo" "established" "alternate-address" "conversion-error" 
 // "echo-reply" "information-reply" "information-request" "mask-reply" 
@@ -7034,87 +7027,100 @@ const unsigned long PIXCfgParser::_tokenSet_20_data_[] = { 268445712UL, 4166UL,
 // "router-solicitation" "source-quench" "time-exceeded" "timestamp-reply" 
 // "timestamp-request" "traceroute" "unreachable" "interface" "any" "log" 
 // "log-input" "fragments" "time-range" "outside" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_20(_tokenSet_20_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_21_data_[] = { 268437504UL, 4098UL, 2147483648UL, 1UL, 0UL, 0UL, 0UL, 0UL };
-// IPV4 OBJECT "host" OBJECT_GROUP "interface" "any" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_21(_tokenSet_21_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_22_data_[] = { 16UL, 0UL, 0UL, 16390UL, 0UL, 0UL, 0UL, 0UL };
-// NEWLINE "log" "log-input" "fragments" 
+const unsigned long PIXCfgParser::_tokenSet_22_data_[] = { 268437504UL, 4098UL, 0UL, 3UL, 0UL, 0UL, 0UL, 0UL };
+// IPV4 OBJECT "host" OBJECT_GROUP "interface" "any" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_22(_tokenSet_22_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_23_data_[] = { 16UL, 0UL, 0UL, 6UL, 0UL, 0UL, 0UL, 0UL };
-// NEWLINE "log" "log-input" 
+const unsigned long PIXCfgParser::_tokenSet_23_data_[] = { 16UL, 0UL, 0UL, 32780UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE "log" "log-input" "fragments" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_23(_tokenSet_23_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_24_data_[] = { 268445712UL, 4100UL, 4336UL, 180230UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_24_data_[] = { 16UL, 0UL, 0UL, 12UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE "log" "log-input" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_24(_tokenSet_24_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_25_data_[] = { 268445712UL, 4100UL, 8672UL, 360460UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE IPV4 WORD OBJECT "range" OBJECT_GROUP "eq" "gt" "lt" "neq" "established" 
 // "log" "log-input" "fragments" "time-range" "outside" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_24(_tokenSet_24_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_25_data_[] = { 0UL, 4UL, 240UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// "range" "eq" "gt" "lt" "neq" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_25(_tokenSet_25_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_26_data_[] = { 67117056UL, 536870976UL, 3840UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// WORD "pptp" INT_CONST "hostname" "echo" "rip" "ssh" "telnet" 
+const unsigned long PIXCfgParser::_tokenSet_26_data_[] = { 0UL, 4UL, 480UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// "range" "eq" "gt" "lt" "neq" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_26(_tokenSet_26_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_27_data_[] = { 268435472UL, 4100UL, 4336UL, 49158UL, 0UL, 0UL, 0UL, 0UL };
+const unsigned long PIXCfgParser::_tokenSet_27_data_[] = { 67117056UL, 1073741888UL, 7680UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// WORD "pptp" INT_CONST "hostname" "echo" "rip" "ssh" "telnet" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_27(_tokenSet_27_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_28_data_[] = { 268435472UL, 4100UL, 8672UL, 98316UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE OBJECT "range" OBJECT_GROUP "eq" "gt" "lt" "neq" "established" 
 // "log" "log-input" "fragments" "time-range" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_27(_tokenSet_27_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_28_data_[] = { 1409296242UL, 2814382180UL, 2147491824UL, 68026366UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_28(_tokenSet_28_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_29_data_[] = { 1409296242UL, 1337987172UL, 16353UL, 136052733UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD "pptp" OBJECT 
-// "nat" "range" "icmp" INT_CONST OBJECT_GROUP "crypto" "no" "certificate" 
+// "nat" "range" "icmp" INT_CONST OBJECT_GROUP "crypto" "dns" "no" "certificate" 
 // "PIX" "ASA" "hostname" "access-list" "eq" "gt" "lt" "neq" "echo" "rip" 
 // "ssh" "telnet" "established" "interface" "log" "log-input" "alerts" 
 // "critical" "debugging" "emergencies" "errors" "informational" "notifications" 
 // "warnings" "disable" "inactive" "interval" "fragments" "time-range" 
 // "controller" LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT 
 // "global" "static" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_28(_tokenSet_28_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_29_data_[] = { 1409296242UL, 2814382176UL, 2147487488UL, 68026366UL, 835584UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_29(_tokenSet_29_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_30_data_[] = { 1409296242UL, 1337987168UL, 7681UL, 136052733UL, 1769472UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // EOF NEWLINE "quit" "ip" "timeout" "names" "name" WORD "pptp" OBJECT 
-// "nat" "icmp" INT_CONST OBJECT_GROUP "crypto" "no" "certificate" "PIX" 
-// "ASA" "hostname" "access-list" "echo" "rip" "ssh" "telnet" "interface" 
+// "nat" "icmp" INT_CONST OBJECT_GROUP "crypto" "dns" "no" "certificate" 
+// "PIX" "ASA" "hostname" "access-list" "echo" "rip" "ssh" "telnet" "interface" 
 // "log" "log-input" "alerts" "critical" "debugging" "emergencies" "errors" 
 // "informational" "notifications" "warnings" "disable" "inactive" "interval" 
 // "fragments" "time-range" "controller" LINE_COMMENT "exit" "nameif" "access-group" 
 // COLON_COMMENT "global" "static" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_29(_tokenSet_29_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_30_data_[] = { 268437504UL, 4102UL, 2147483888UL, 1UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_30(_tokenSet_30_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_31_data_[] = { 268437504UL, 4102UL, 480UL, 3UL, 0UL, 0UL, 0UL, 0UL };
 // IPV4 OBJECT "host" "range" OBJECT_GROUP "eq" "gt" "lt" "neq" "interface" 
 // "any" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_30(_tokenSet_30_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_31_data_[] = { 335554576UL, 536875076UL, 8176UL, 180230UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_31(_tokenSet_31_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_32_data_[] = { 335554576UL, 1073745988UL, 16352UL, 360460UL, 0UL, 0UL, 0UL, 0UL };
 // NEWLINE IPV4 WORD "pptp" OBJECT "range" INT_CONST OBJECT_GROUP "hostname" 
 // "eq" "gt" "lt" "neq" "echo" "rip" "ssh" "telnet" "established" "log" 
 // "log-input" "fragments" "time-range" "outside" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_31(_tokenSet_31_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_32_data_[] = { 335554576UL, 2684361542UL, 2147491824UL, 49159UL, 2097152UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// NEWLINE IPV4 WORD "pptp" OBJECT "host" "range" INT_CONST "tcp" "udp" 
-// "destination" OBJECT_GROUP "hostname" "access-list" "eq" "gt" "lt" "neq" 
-// "echo" "rip" "ssh" "telnet" "established" "interface" "any" "log" "log-input" 
-// "fragments" "time-range" NETMASK 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_32(_tokenSet_32_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_33_data_[] = { 42205248UL, 8388609UL, 512UL, 4227858432UL, 2303UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_32(_tokenSet_32_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_33_data_[] = { 335558672UL, 1082137414UL, 16353UL, 98319UL, 12582912UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE IPV4 IPV6 WORD "pptp" OBJECT "host" "range" INT_CONST "tcp" 
+// "udp" "destination" OBJECT_GROUP "dns" "hostname" "access-list" "eq" 
+// "gt" "lt" "neq" "echo" "rip" "ssh" "telnet" "established" "interface" 
+// "any" "log" "log-input" "fragments" "time-range" "norandomseq" "netmask" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_33(_tokenSet_33_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_34_data_[] = { 42205248UL, 16777217UL, 1024UL, 4160749568UL, 4607UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // "ip" "igmp" "ospf" "pim" "description" "no" "rip" "nameif" "vlan" "speed" 
 // "duplex" "ddns" "forward" "delay" "hold-time" "ipv6" "mac-address" "multicast" 
 // PPPOE "security-level" "shutdown" "switchport" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_33(_tokenSet_33_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_34_data_[] = { 42205248UL, 8388609UL, 512UL, 4228644864UL, 2303UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_34(_tokenSet_34_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_35_data_[] = { 42205248UL, 16777217UL, 1024UL, 4162322432UL, 4607UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
 // "ip" "igmp" "ospf" "pim" "description" "no" "rip" LINE_COMMENT "exit" 
 // "nameif" "vlan" "speed" "duplex" "ddns" "forward" "delay" "hold-time" 
 // "ipv6" "mac-address" "multicast" PPPOE "security-level" "shutdown" "switchport" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_34(_tokenSet_34_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_35_data_[] = { 8192UL, 0UL, 0UL, 131072UL, 0UL, 0UL, 0UL, 0UL };
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_35(_tokenSet_35_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_36_data_[] = { 8192UL, 0UL, 0UL, 262144UL, 0UL, 0UL, 0UL, 0UL };
 // WORD "outside" 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_35(_tokenSet_35_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_36_data_[] = { 0UL, 832UL, 0UL, 131072UL, 131072UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// INT_CONST "tcp" "udp" "outside" DNS 
-const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_36(_tokenSet_36_data_,12);
-const unsigned long PIXCfgParser::_tokenSet_37_data_[] = { 67117056UL, 2684354626UL, 3840UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// WORD "pptp" "host" INT_CONST "hostname" "access-list" "echo" "rip" "ssh" 
-// "telnet" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_36(_tokenSet_36_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_37_data_[] = { 0UL, 8389440UL, 0UL, 262144UL, 0UL, 0UL, 0UL, 0UL };
+// INT_CONST "tcp" "udp" "dns" "outside" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_37(_tokenSet_37_data_,8);
-const unsigned long PIXCfgParser::_tokenSet_38_data_[] = { 67117056UL, 536871744UL, 3840UL, 0UL, 2097152UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
-// WORD "pptp" INT_CONST "tcp" "udp" "hostname" "echo" "rip" "ssh" "telnet" 
-// NETMASK 
+const unsigned long PIXCfgParser::_tokenSet_38_data_[] = { 0UL, 8389440UL, 0UL, 0UL, 12582912UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// INT_CONST "tcp" "udp" "dns" "norandomseq" "netmask" 
 const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_38(_tokenSet_38_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_39_data_[] = { 67123200UL, 1073741888UL, 7681UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// IPV4 IPV6 WORD "pptp" INT_CONST "hostname" "access-list" "echo" "rip" 
+// "ssh" "telnet" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_39(_tokenSet_39_data_,8);
+const unsigned long PIXCfgParser::_tokenSet_40_data_[] = { 67117072UL, 1082131264UL, 7680UL, 0UL, 12582912UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE WORD "pptp" INT_CONST "tcp" "udp" "dns" "hostname" "echo" "rip" 
+// "ssh" "telnet" "norandomseq" "netmask" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_40(_tokenSet_40_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_41_data_[] = { 16UL, 8389440UL, 0UL, 0UL, 12582912UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// NEWLINE INT_CONST "tcp" "udp" "dns" "norandomseq" "netmask" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_41(_tokenSet_41_data_,12);
+const unsigned long PIXCfgParser::_tokenSet_42_data_[] = { 1342189426UL, 1337987936UL, 6145UL, 135921665UL, 14352384UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
+// EOF NEWLINE "quit" "ip" "timeout" "names" "name" IPV4 WORD OBJECT "nat" 
+// "icmp" INT_CONST "tcp" "udp" OBJECT_GROUP "crypto" "dns" "no" "certificate" 
+// "PIX" "ASA" "hostname" "access-list" "ssh" "telnet" "interface" "controller" 
+// LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT "global" "static" 
+// "norandomseq" "netmask" 
+const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_42(_tokenSet_42_data_,12);
 
 
diff --git a/src/parsers/PIXCfgParser.hpp b/src/parsers/PIXCfgParser.hpp
index 347f5f01d..235752d85 100644
--- a/src/parsers/PIXCfgParser.hpp
+++ b/src/parsers/PIXCfgParser.hpp
@@ -120,6 +120,7 @@ public:
 	public: void crypto();
 	public: void no_commands();
 	public: void timeout_command();
+	public: void dns_command();
 	public: void unknown_command();
 	public: void ip_protocol_names();
 	public: void named_object_nat();
@@ -129,6 +130,7 @@ public:
 	public: void range_addr();
 	public: void subnet_addr();
 	public: void interface_label();
+	public: void single_addr();
 	public: void named_object_service_parameters();
 	public: void service_icmp();
 	public: void service_icmp6();
@@ -215,10 +217,10 @@ protected:
 private:
 	static const char* tokenNames[];
 #ifndef NO_STATIC_CONSTS
-	static const int NUM_TOKENS = 184;
+	static const int NUM_TOKENS = 185;
 #else
 	enum {
-		NUM_TOKENS = 184
+		NUM_TOKENS = 185
 	};
 #endif
 	
@@ -300,6 +302,14 @@ private:
 	static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_37;
 	static const unsigned long _tokenSet_38_data_[];
 	static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_38;
+	static const unsigned long _tokenSet_39_data_[];
+	static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_39;
+	static const unsigned long _tokenSet_40_data_[];
+	static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_40;
+	static const unsigned long _tokenSet_41_data_[];
+	static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_41;
+	static const unsigned long _tokenSet_42_data_[];
+	static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_42;
 };
 
 #endif /*INC_PIXCfgParser_hpp_*/
diff --git a/src/parsers/PIXCfgParserTokenTypes.hpp b/src/parsers/PIXCfgParserTokenTypes.hpp
index 9b4f6e7fb..8560d05ed 100644
--- a/src/parsers/PIXCfgParserTokenTypes.hpp
+++ b/src/parsers/PIXCfgParserTokenTypes.hpp
@@ -63,135 +63,136 @@ struct CUSTOM_API PIXCfgParserTokenTypes {
 		SERVICE_OBJECT = 52,
 		PORT_OBJECT = 53,
 		CRYPTO = 54,
-		NO = 55,
-		CERTIFICATE = 56,
-		PIX_WORD = 57,
-		ASA_WORD = 58,
-		VERSION_WORD = 59,
-		NUMBER = 60,
-		HOSTNAME = 61,
-		STRING = 62,
-		ACCESS_LIST = 63,
-		EXTENDED = 64,
-		PERMIT = 65,
-		DENY = 66,
-		STANDARD = 67,
-		P_EQ = 68,
-		P_GT = 69,
-		P_LT = 70,
-		P_NEQ = 71,
-		ECHO = 72,
-		RIP = 73,
-		SSH = 74,
-		TELNET = 75,
-		ESTABLISHED = 76,
-		ALTERNATE_ADDRESS = 77,
-		CONVERSION_ERROR = 78,
-		ECHO_REPLY = 79,
-		INFORMATION_REPLY = 80,
-		INFORMATION_REQUEST = 81,
-		MASK_REPLY = 82,
-		MASK_REQUEST = 83,
-		MOBILE_REDIRECT = 84,
-		PARAMETER_PROBLEM = 85,
-		REDIRECT = 86,
-		ROUTER_ADVERTISEMENT = 87,
-		ROUTER_SOLICITATION = 88,
-		SOURCE_QUENCH = 89,
-		TIME_EXCEEDED = 90,
-		TIMESTAMP_REPLY = 91,
-		TIMESTAMP_REQUEST = 92,
-		TRACEROUTE = 93,
-		UNREACHABLE = 94,
-		INTRFACE = 95,
-		ANY = 96,
-		LOG = 97,
-		LOG_INPUT = 98,
-		LOG_LEVEL_ALERTS = 99,
-		LOG_LEVEL_CRITICAL = 100,
-		LOG_LEVEL_DEBUGGING = 101,
-		LOG_LEVEL_EMERGENCIES = 102,
-		LOG_LEVEL_ERRORS = 103,
-		LOG_LEVEL_INFORMATIONAL = 104,
-		LOG_LEVEL_NOTIFICATIONS = 105,
-		LOG_LEVEL_WARNINGS = 106,
-		LOG_LEVEL_DISABLE = 107,
-		LOG_LEVEL_INACTIVE = 108,
-		INTERVAL = 109,
-		FRAGMENTS = 110,
-		TIME_RANGE = 111,
-		CONTROLLER = 112,
-		OUTSIDE = 113,
-		LINE_COMMENT = 114,
-		EXIT = 115,
-		AUI = 116,
-		AUTO = 117,
-		BNC = 118,
-		FULL = 119,
-		BASET = 120,
-		BASETX = 121,
-		NAMEIF = 122,
-		VLAN = 123,
-		SPEED = 124,
-		DUPLEX = 125,
-		DDNS = 126,
-		FORWARD = 127,
-		DELAY = 128,
-		HOLD_TIME = 129,
-		IPV6_C = 130,
-		MAC_ADDRESS = 131,
-		MULTICAST = 132,
-		PPPOE = 133,
-		SEC_LEVEL = 134,
-		SHUTDOWN = 135,
-		ADDRESS = 136,
-		DHCP = 137,
-		STANDBY = 138,
-		SWITCHPORT = 139,
-		ACCESS = 140,
-		REMARK = 141,
-		ACCESS_GROUP = 142,
-		COLON_COMMENT = 143,
-		CLOSING_PAREN = 144,
-		DNS = 145,
-		GLOBAL = 146,
-		STATIC = 147,
-		COMMA = 148,
-		NETMASK = 149,
-		IPv4 = 150,
-		SECONDARY = 151,
-		SETROUTE = 152,
-		Whitespace = 153,
-		HEX_CONST = 154,
-		NEG_INT_CONST = 155,
-		DIGIT = 156,
-		HEXDIGIT = 157,
-		NUMBER_ADDRESS_OR_WORD = 158,
-		PIPE_CHAR = 159,
-		NUMBER_SIGN = 160,
-		PERCENT = 161,
-		AMPERSAND = 162,
-		APOSTROPHE = 163,
-		STAR = 164,
-		PLUS = 165,
-		MINUS = 166,
-		DOT = 167,
-		SLASH = 168,
-		COLON = 169,
-		SEMICOLON = 170,
-		LESS_THAN = 171,
-		EQUALS = 172,
-		GREATER_THAN = 173,
-		QUESTION = 174,
-		COMMERCIAL_AT = 175,
-		OPENING_SQUARE = 176,
-		CLOSING_SQUARE = 177,
-		CARET = 178,
-		UNDERLINE = 179,
-		OPENING_BRACE = 180,
-		CLOSING_BRACE = 181,
-		TILDE = 182,
-		EXLAMATION = 183,
+		DNS = 55,
+		NO = 56,
+		CERTIFICATE = 57,
+		PIX_WORD = 58,
+		ASA_WORD = 59,
+		VERSION_WORD = 60,
+		NUMBER = 61,
+		HOSTNAME = 62,
+		STRING = 63,
+		ACCESS_LIST = 64,
+		EXTENDED = 65,
+		PERMIT = 66,
+		DENY = 67,
+		STANDARD = 68,
+		P_EQ = 69,
+		P_GT = 70,
+		P_LT = 71,
+		P_NEQ = 72,
+		ECHO = 73,
+		RIP = 74,
+		SSH = 75,
+		TELNET = 76,
+		ESTABLISHED = 77,
+		ALTERNATE_ADDRESS = 78,
+		CONVERSION_ERROR = 79,
+		ECHO_REPLY = 80,
+		INFORMATION_REPLY = 81,
+		INFORMATION_REQUEST = 82,
+		MASK_REPLY = 83,
+		MASK_REQUEST = 84,
+		MOBILE_REDIRECT = 85,
+		PARAMETER_PROBLEM = 86,
+		REDIRECT = 87,
+		ROUTER_ADVERTISEMENT = 88,
+		ROUTER_SOLICITATION = 89,
+		SOURCE_QUENCH = 90,
+		TIME_EXCEEDED = 91,
+		TIMESTAMP_REPLY = 92,
+		TIMESTAMP_REQUEST = 93,
+		TRACEROUTE = 94,
+		UNREACHABLE = 95,
+		INTRFACE = 96,
+		ANY = 97,
+		LOG = 98,
+		LOG_INPUT = 99,
+		LOG_LEVEL_ALERTS = 100,
+		LOG_LEVEL_CRITICAL = 101,
+		LOG_LEVEL_DEBUGGING = 102,
+		LOG_LEVEL_EMERGENCIES = 103,
+		LOG_LEVEL_ERRORS = 104,
+		LOG_LEVEL_INFORMATIONAL = 105,
+		LOG_LEVEL_NOTIFICATIONS = 106,
+		LOG_LEVEL_WARNINGS = 107,
+		LOG_LEVEL_DISABLE = 108,
+		LOG_LEVEL_INACTIVE = 109,
+		INTERVAL = 110,
+		FRAGMENTS = 111,
+		TIME_RANGE = 112,
+		CONTROLLER = 113,
+		OUTSIDE = 114,
+		LINE_COMMENT = 115,
+		EXIT = 116,
+		AUI = 117,
+		AUTO = 118,
+		BNC = 119,
+		FULL = 120,
+		BASET = 121,
+		BASETX = 122,
+		NAMEIF = 123,
+		VLAN = 124,
+		SPEED = 125,
+		DUPLEX = 126,
+		DDNS = 127,
+		FORWARD = 128,
+		DELAY = 129,
+		HOLD_TIME = 130,
+		IPV6_C = 131,
+		MAC_ADDRESS = 132,
+		MULTICAST = 133,
+		PPPOE = 134,
+		SEC_LEVEL = 135,
+		SHUTDOWN = 136,
+		ADDRESS = 137,
+		DHCP = 138,
+		STANDBY = 139,
+		SWITCHPORT = 140,
+		ACCESS = 141,
+		SCOPY = 142,
+		REMARK = 143,
+		ACCESS_GROUP = 144,
+		COLON_COMMENT = 145,
+		CLOSING_PAREN = 146,
+		GLOBAL = 147,
+		STATIC = 148,
+		COMMA = 149,
+		NORANDOMSEQ = 150,
+		NETMASK = 151,
+		SECONDARY = 152,
+		SETROUTE = 153,
+		Whitespace = 154,
+		HEX_CONST = 155,
+		NEG_INT_CONST = 156,
+		DIGIT = 157,
+		HEXDIGIT = 158,
+		NUMBER_ADDRESS_OR_WORD = 159,
+		PIPE_CHAR = 160,
+		NUMBER_SIGN = 161,
+		PERCENT = 162,
+		AMPERSAND = 163,
+		APOSTROPHE = 164,
+		STAR = 165,
+		PLUS = 166,
+		MINUS = 167,
+		DOT = 168,
+		SLASH = 169,
+		COLON = 170,
+		SEMICOLON = 171,
+		LESS_THAN = 172,
+		EQUALS = 173,
+		GREATER_THAN = 174,
+		QUESTION = 175,
+		COMMERCIAL_AT = 176,
+		OPENING_SQUARE = 177,
+		CLOSING_SQUARE = 178,
+		CARET = 179,
+		UNDERLINE = 180,
+		OPENING_BRACE = 181,
+		CLOSING_BRACE = 182,
+		TILDE = 183,
+		EXLAMATION = 184,
 		NULL_TREE_LOOKAHEAD = 3
 	};
 #ifdef __cplusplus
diff --git a/src/parsers/PIXCfgParserTokenTypes.txt b/src/parsers/PIXCfgParserTokenTypes.txt
index f9f9a9d41..0ed908a3b 100644
--- a/src/parsers/PIXCfgParserTokenTypes.txt
+++ b/src/parsers/PIXCfgParserTokenTypes.txt
@@ -51,132 +51,133 @@ TCP_UDP="tcp-udp"=51
 SERVICE_OBJECT="service-object"=52
 PORT_OBJECT="port-object"=53
 CRYPTO="crypto"=54
-NO="no"=55
-CERTIFICATE="certificate"=56
-PIX_WORD="PIX"=57
-ASA_WORD="ASA"=58
-VERSION_WORD="Version"=59
-NUMBER=60
-HOSTNAME="hostname"=61
-STRING=62
-ACCESS_LIST="access-list"=63
-EXTENDED="extended"=64
-PERMIT="permit"=65
-DENY="deny"=66
-STANDARD="standard"=67
-P_EQ="eq"=68
-P_GT="gt"=69
-P_LT="lt"=70
-P_NEQ="neq"=71
-ECHO="echo"=72
-RIP="rip"=73
-SSH="ssh"=74
-TELNET="telnet"=75
-ESTABLISHED="established"=76
-ALTERNATE_ADDRESS="alternate-address"=77
-CONVERSION_ERROR="conversion-error"=78
-ECHO_REPLY="echo-reply"=79
-INFORMATION_REPLY="information-reply"=80
-INFORMATION_REQUEST="information-request"=81
-MASK_REPLY="mask-reply"=82
-MASK_REQUEST="mask-request"=83
-MOBILE_REDIRECT="mobile-redirect"=84
-PARAMETER_PROBLEM="parameter-problem"=85
-REDIRECT="redirect"=86
-ROUTER_ADVERTISEMENT="router-advertisement"=87
-ROUTER_SOLICITATION="router-solicitation"=88
-SOURCE_QUENCH="source-quench"=89
-TIME_EXCEEDED="time-exceeded"=90
-TIMESTAMP_REPLY="timestamp-reply"=91
-TIMESTAMP_REQUEST="timestamp-request"=92
-TRACEROUTE="traceroute"=93
-UNREACHABLE="unreachable"=94
-INTRFACE="interface"=95
-ANY="any"=96
-LOG="log"=97
-LOG_INPUT="log-input"=98
-LOG_LEVEL_ALERTS="alerts"=99
-LOG_LEVEL_CRITICAL="critical"=100
-LOG_LEVEL_DEBUGGING="debugging"=101
-LOG_LEVEL_EMERGENCIES="emergencies"=102
-LOG_LEVEL_ERRORS="errors"=103
-LOG_LEVEL_INFORMATIONAL="informational"=104
-LOG_LEVEL_NOTIFICATIONS="notifications"=105
-LOG_LEVEL_WARNINGS="warnings"=106
-LOG_LEVEL_DISABLE="disable"=107
-LOG_LEVEL_INACTIVE="inactive"=108
-INTERVAL="interval"=109
-FRAGMENTS="fragments"=110
-TIME_RANGE="time-range"=111
-CONTROLLER="controller"=112
-OUTSIDE="outside"=113
-LINE_COMMENT=114
-EXIT="exit"=115
-AUI="aui"=116
-AUTO="auto"=117
-BNC="bnc"=118
-FULL="full"=119
-BASET="baseT"=120
-BASETX="baseTX"=121
-NAMEIF="nameif"=122
-VLAN="vlan"=123
-SPEED="speed"=124
-DUPLEX="duplex"=125
-DDNS="ddns"=126
-FORWARD="forward"=127
-DELAY="delay"=128
-HOLD_TIME="hold-time"=129
-IPV6_C="ipv6"=130
-MAC_ADDRESS="mac-address"=131
-MULTICAST="multicast"=132
-PPPOE=133
-SEC_LEVEL="security-level"=134
-SHUTDOWN="shutdown"=135
-ADDRESS="address"=136
-DHCP="dhcp"=137
-STANDBY="standby"=138
-SWITCHPORT="switchport"=139
-ACCESS="access"=140
-REMARK="remark"=141
-ACCESS_GROUP="access-group"=142
-COLON_COMMENT=143
-CLOSING_PAREN=144
-DNS=145
-GLOBAL="global"=146
-STATIC="static"=147
-COMMA=148
-NETMASK=149
-IPv4=150
-SECONDARY="secondary"=151
-SETROUTE="setroute"=152
-Whitespace=153
-HEX_CONST=154
-NEG_INT_CONST=155
-DIGIT=156
-HEXDIGIT=157
-NUMBER_ADDRESS_OR_WORD=158
-PIPE_CHAR=159
-NUMBER_SIGN=160
-PERCENT=161
-AMPERSAND=162
-APOSTROPHE=163
-STAR=164
-PLUS=165
-MINUS=166
-DOT=167
-SLASH=168
-COLON=169
-SEMICOLON=170
-LESS_THAN=171
-EQUALS=172
-GREATER_THAN=173
-QUESTION=174
-COMMERCIAL_AT=175
-OPENING_SQUARE=176
-CLOSING_SQUARE=177
-CARET=178
-UNDERLINE=179
-OPENING_BRACE=180
-CLOSING_BRACE=181
-TILDE=182
-EXLAMATION=183
+DNS="dns"=55
+NO="no"=56
+CERTIFICATE="certificate"=57
+PIX_WORD="PIX"=58
+ASA_WORD="ASA"=59
+VERSION_WORD="Version"=60
+NUMBER=61
+HOSTNAME="hostname"=62
+STRING=63
+ACCESS_LIST="access-list"=64
+EXTENDED="extended"=65
+PERMIT="permit"=66
+DENY="deny"=67
+STANDARD="standard"=68
+P_EQ="eq"=69
+P_GT="gt"=70
+P_LT="lt"=71
+P_NEQ="neq"=72
+ECHO="echo"=73
+RIP="rip"=74
+SSH="ssh"=75
+TELNET="telnet"=76
+ESTABLISHED="established"=77
+ALTERNATE_ADDRESS="alternate-address"=78
+CONVERSION_ERROR="conversion-error"=79
+ECHO_REPLY="echo-reply"=80
+INFORMATION_REPLY="information-reply"=81
+INFORMATION_REQUEST="information-request"=82
+MASK_REPLY="mask-reply"=83
+MASK_REQUEST="mask-request"=84
+MOBILE_REDIRECT="mobile-redirect"=85
+PARAMETER_PROBLEM="parameter-problem"=86
+REDIRECT="redirect"=87
+ROUTER_ADVERTISEMENT="router-advertisement"=88
+ROUTER_SOLICITATION="router-solicitation"=89
+SOURCE_QUENCH="source-quench"=90
+TIME_EXCEEDED="time-exceeded"=91
+TIMESTAMP_REPLY="timestamp-reply"=92
+TIMESTAMP_REQUEST="timestamp-request"=93
+TRACEROUTE="traceroute"=94
+UNREACHABLE="unreachable"=95
+INTRFACE="interface"=96
+ANY="any"=97
+LOG="log"=98
+LOG_INPUT="log-input"=99
+LOG_LEVEL_ALERTS="alerts"=100
+LOG_LEVEL_CRITICAL="critical"=101
+LOG_LEVEL_DEBUGGING="debugging"=102
+LOG_LEVEL_EMERGENCIES="emergencies"=103
+LOG_LEVEL_ERRORS="errors"=104
+LOG_LEVEL_INFORMATIONAL="informational"=105
+LOG_LEVEL_NOTIFICATIONS="notifications"=106
+LOG_LEVEL_WARNINGS="warnings"=107
+LOG_LEVEL_DISABLE="disable"=108
+LOG_LEVEL_INACTIVE="inactive"=109
+INTERVAL="interval"=110
+FRAGMENTS="fragments"=111
+TIME_RANGE="time-range"=112
+CONTROLLER="controller"=113
+OUTSIDE="outside"=114
+LINE_COMMENT=115
+EXIT="exit"=116
+AUI="aui"=117
+AUTO="auto"=118
+BNC="bnc"=119
+FULL="full"=120
+BASET="baseT"=121
+BASETX="baseTX"=122
+NAMEIF="nameif"=123
+VLAN="vlan"=124
+SPEED="speed"=125
+DUPLEX="duplex"=126
+DDNS="ddns"=127
+FORWARD="forward"=128
+DELAY="delay"=129
+HOLD_TIME="hold-time"=130
+IPV6_C="ipv6"=131
+MAC_ADDRESS="mac-address"=132
+MULTICAST="multicast"=133
+PPPOE=134
+SEC_LEVEL="security-level"=135
+SHUTDOWN="shutdown"=136
+ADDRESS="address"=137
+DHCP="dhcp"=138
+STANDBY="standby"=139
+SWITCHPORT="switchport"=140
+ACCESS="access"=141
+SCOPY="scopy"=142
+REMARK="remark"=143
+ACCESS_GROUP="access-group"=144
+COLON_COMMENT=145
+CLOSING_PAREN=146
+GLOBAL="global"=147
+STATIC="static"=148
+COMMA=149
+NORANDOMSEQ="norandomseq"=150
+NETMASK="netmask"=151
+SECONDARY="secondary"=152
+SETROUTE="setroute"=153
+Whitespace=154
+HEX_CONST=155
+NEG_INT_CONST=156
+DIGIT=157
+HEXDIGIT=158
+NUMBER_ADDRESS_OR_WORD=159
+PIPE_CHAR=160
+NUMBER_SIGN=161
+PERCENT=162
+AMPERSAND=163
+APOSTROPHE=164
+STAR=165
+PLUS=166
+MINUS=167
+DOT=168
+SLASH=169
+COLON=170
+SEMICOLON=171
+LESS_THAN=172
+EQUALS=173
+GREATER_THAN=174
+QUESTION=175
+COMMERCIAL_AT=176
+OPENING_SQUARE=177
+CLOSING_SQUARE=178
+CARET=179
+UNDERLINE=180
+OPENING_BRACE=181
+CLOSING_BRACE=182
+TILDE=183
+EXLAMATION=184
diff --git a/src/parsers/pix.g b/src/parsers/pix.g
index 59dc56906..5b902a007 100644
--- a/src/parsers/pix.g
+++ b/src/parsers/pix.g
@@ -174,6 +174,8 @@ cfgfile :
             no_commands
         |
             timeout_command
+        |
+            dns_command
         |
             unknown_command
         |
@@ -299,7 +301,10 @@ named_object_description : DESCRIPTION
         }
     ;
 
-host_addr : (HOST (h:IPV4 | v6:IPV6))
+host_addr : HOST single_addr
+    ;
+
+single_addr : (h:IPV4 | v6:IPV6)
         {
             importer->setCurrentLineNumber(LT(0)->getLine());
             if (h)
@@ -802,6 +807,13 @@ unknown_command : WORD
         }
     ;
 
+//****************************************************************
+dns_command : DNS
+        {
+            consumeUntil(NEWLINE);
+        }
+    ;
+
 //****************************************************************
 no_commands : NO
         {
@@ -1635,7 +1647,13 @@ ssh_command : SSH
             importer->clear();
         }
         (
-            ( TIMEOUT INT_CONST ) |
+            ( TIMEOUT INT_CONST ) 
+            {
+                // set ssh timeout here
+            }
+        |
+            SCOPY
+        |
             (
                 hostaddr_expr
                 {
@@ -1895,16 +1913,21 @@ global_top_level_command :
     ;
 
 static_top_level_command :
-        STATIC OPENING_PAREN prenat_intf:WORD
-        COMMA postnat_intf:WORD CLOSING_PAREN
+        STATIC
         {
             importer->clear();
+        }
+        OPENING_PAREN 
+        interface_label { importer->prenat_interface = LT(0)->getText(); }
+        COMMA
+        interface_label { importer->postnat_interface = LT(0)->getText(); }
+        CLOSING_PAREN
+        {
             importer->setCurrentLineNumber(LT(0)->getLine());
             importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME );
-            *dbg << " DNAT rule " << std::endl;
+            importer->newNATRule();
+            *dbg << " DNAT rule ";
             importer->rule_type = libfwbuilder::NATRule::DNAT;
-            importer->prenat_interface = prenat_intf->getText();
-            importer->postnat_interface = postnat_intf->getText();
         }
         //  Hostname or A.B.C.D  Global or mapped address
         //  interface            Global address overload from interface
@@ -1918,6 +1941,7 @@ static_top_level_command :
         NEWLINE
         {
             importer->pushNATRule();
+            *dbg << std::endl;
         }
     ;
 
@@ -1929,12 +1953,12 @@ static_starts_with_hostaddr :
 
         static_real_addr_match
 
-        static_command_common_last_parameters
+        ( static_command_common_last_parameters )*
     ;
 
 static_mapped_addr_match :
         (
-            host_addr
+            single_addr
             {
                 importer->mapped_a = importer->tmp_a;
                 importer->mapped_nm = importer->tmp_nm;
@@ -1950,7 +1974,7 @@ static_mapped_addr_match :
 
 static_real_addr_match :
         (   
-            host_addr   // real
+            single_addr   // real
             {
                 importer->real_a = importer->tmp_a;
                 importer->real_nm = importer->tmp_nm;
@@ -1966,7 +1990,7 @@ static_real_addr_match :
 static_starts_with_tcp_udp : ( TCP | UDP )
         {
             importer->protocol = LT(0)->getText();
-            *dbg << " SERVICE TCP/UDP" << LT(0)->getText() << " ";
+            *dbg << " SERVICE TCP/UDP " << LT(0)->getText() << " ";
         }
         //  Hostname or A.B.C.D  Global or mapped address
         //  interface            Global address overload from interface
@@ -1980,7 +2004,7 @@ static_starts_with_tcp_udp : ( TCP | UDP )
         tcp_udp_port_spec
         {
             importer->mapped_port_spec = importer->tmp_port_spec_2;
-            *dbg << "mapped port " << importer->mapped_port_spec;
+            *dbg << "mapped port " << importer->mapped_port_spec << " ";
         }
 
         // Hostname or A.B.C.D  Real IP address of the host or hosts
@@ -1995,10 +2019,10 @@ static_starts_with_tcp_udp : ( TCP | UDP )
         tcp_udp_port_spec
         {
             importer->real_port_spec = importer->tmp_port_spec_2;
-            *dbg << "real port " << importer->real_port_spec;
+            *dbg << "real port " << importer->real_port_spec << " ";
         }
 
-        static_command_common_last_parameters
+        ( static_command_common_last_parameters )*
     ;
 
 static_command_common_last_parameters :
@@ -2008,17 +2032,26 @@ static_command_common_last_parameters :
         //  norandomseq  Disable TCP sequence number randomization
         //  tcp          Configure TCP specific parameters
         //  udp          Configure UDP specific parameters
-        NETMASK nm:IPv4
+        //  <cr>
+
+        DNS
+        {
+            importer->addMessageToLog(
+                "Warning: 'static' command option 'dns' is not supported");
+        }
+    |
+        NORANDOMSEQ
+        {
+            importer->addMessageToLog(
+                "Warning: 'static' command option 'norandomseq' is not supported");
+        }
+    |
+        NETMASK nm:IPV4
         {
             importer->mapped_nm = nm->getText();
         }
     |
-        (TCP | UDP)
-        {
-            // <0-65535>  The maximum number of simultaneous tcp connections
-
-        }
-    |
+        (TCP | UDP)?
         max_conn:INT_CONST (max_emb_conn:INT_CONST)?
         {
             importer->static_max_conn = max_conn->getText();
@@ -2055,12 +2088,14 @@ tokens
     SPEED = "speed";
     DUPLEX = "duplex";
     DELAY = "delay";
+    DNS = "dns";
     DDNS = "ddns";
     FORWARD = "forward";
     HOLD_TIME = "hold-time";
     IPV6_C = "ipv6";
     MAC_ADDRESS = "mac-address";
     MULTICAST = "multicast";
+    NETMASK = "netmask";
 
     INTERVAL = "interval";
 
@@ -2209,6 +2244,9 @@ tokens
   TRACEROUTE = "traceroute";
   UNREACHABLE = "unreachable";
 
+    NORANDOMSEQ = "norandomseq";
+
+    SCOPY = "scopy";
 }
 
 LINE_COMMENT : "!" (~('\r' | '\n'))* NEWLINE ;
@@ -2283,8 +2321,10 @@ NUMBER_ADDRESS_OR_WORD :
                 )
             )
         |
+// making sure ',' '(' ')' are not part of WORD
             ( 'a'..'z' | 'A'..'Z' | '$' )
-            ( '!'..'\'' | '*'..'/' | '0'..'9' | ':' | ';' | '<' | '=' | '>' |
+            ( '!'..'\'' | '*' | '+' | '-' | '.' | '/' | '0'..'9' | ':' |
+              ';' | '<' | '=' | '>' |
               '?' | '@' | 'A'..'Z' | '\\' | '^' | '_' | '`' | 'a'..'z' )*
             { _ttype = WORD; }
         )
diff --git a/src/unit_tests/PIXImporterTest/PIXImporterTest.cpp b/src/unit_tests/PIXImporterTest/PIXImporterTest.cpp
index 4fa35b81e..1a7e1a21a 100644
--- a/src/unit_tests/PIXImporterTest/PIXImporterTest.cpp
+++ b/src/unit_tests/PIXImporterTest/PIXImporterTest.cpp
@@ -230,6 +230,23 @@ void PIXImporterTest::PIX_7_Test()
     compareFwbFiles("test_data/pix7.fwb", "pix7.fwb");
 }
 
+void PIXImporterTest::PIX_7_NAT_Test()
+{
+    platform = "pix";
+
+    std::istringstream instream(openTestFile("test_data/pix7-nat.test"));
+
+    Importer* imp = new PIXImporter(lib, instream, logger, "test_fw");
+    CPPUNIT_ASSERT_NO_THROW( imp->run() );
+    imp->finalize();
+
+    db->setPredictableIds();
+    db->saveFile("pix7-nat.fwb");
+
+    compareResults(logger, "test_data/pix7-nat.output", "pix7-nat.output");
+    compareFwbFiles("test_data/pix7-nat.fwb", "pix7-nat.fwb");
+}
+
 void PIXImporterTest::ASA_8_0_Test()
 {
     platform = "pix";
diff --git a/src/unit_tests/PIXImporterTest/PIXImporterTest.h b/src/unit_tests/PIXImporterTest/PIXImporterTest.h
index d4da7ea25..f6217374e 100644
--- a/src/unit_tests/PIXImporterTest/PIXImporterTest.h
+++ b/src/unit_tests/PIXImporterTest/PIXImporterTest.h
@@ -60,6 +60,7 @@ public:
 
     void PIX_6_Test();
     void PIX_7_Test();
+    void PIX_7_NAT_Test();
     void ASA_8_0_Test();
     void ASA_8_3_Test();
     void ObjectsAndGroupsTest();
@@ -69,6 +70,7 @@ public:
     CPPUNIT_TEST_SUITE(PIXImporterTest);
     CPPUNIT_TEST(PIX_6_Test);
     CPPUNIT_TEST(PIX_7_Test);
+    CPPUNIT_TEST(PIX_7_NAT_Test);
     CPPUNIT_TEST(ASA_8_0_Test);
     CPPUNIT_TEST(ASA_8_3_Test);
     CPPUNIT_TEST(ObjectsAndGroupsTest);
diff --git a/src/unit_tests/PIXImporterTest/test_data/asa8.3.output b/src/unit_tests/PIXImporterTest/test_data/asa8.3.output
index dfc528aa9..5f156561f 100644
--- a/src/unit_tests/PIXImporterTest/test_data/asa8.3.output
+++ b/src/unit_tests/PIXImporterTest/test_data/asa8.3.output
@@ -34,7 +34,6 @@ Warning: interface Ethernet0/6 was not imported because it is in "shutdown" mode
 New interface: Ethernet0/7
 Warning: interface Ethernet0/7 was not imported because it is in "shutdown" mode
 Named object (address) internal_subnet_1Named object (address) internal_subnet_2Named object (address) Internal_netNamed object (address) hostA:eth0Ruleset: outside_acl_in
-Parser error: line 91:5: unexpected token: scopy
 Ruleset: ssh_commands_inside
 Interface Vlan1 ruleset ssh_commands_inside direction 'in' 
 Ruleset: ssh_commands_inside
diff --git a/src/unit_tests/PIXImporterTest/test_data/pix6.fwb b/src/unit_tests/PIXImporterTest/test_data/pix6.fwb
index 86b8eb86e..09443348a 100644
--- a/src/unit_tests/PIXImporterTest/test_data/pix6.fwb
+++ b/src/unit_tests/PIXImporterTest/test_data/pix6.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301462978" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301531481" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -1163,7 +1163,7 @@
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
-          <PolicyRule id="id460" disabled="False" group="" log="False" position="32" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;10 ( global ) using swatch to automatically block probing ssh connections, so no need to limit &#10;Created during import of  line 72">
+          <PolicyRule id="id460" disabled="False" group="" log="False" position="32" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;10 ( global ) using swatch to automatically block probing ssh connections , so no need to limit &#10;Created during import of  line 72">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
diff --git a/src/unit_tests/PIXImporterTest/test_data/pix6.output b/src/unit_tests/PIXImporterTest/test_data/pix6.output
index 67e1288de..7acd40fb0 100644
--- a/src/unit_tests/PIXImporterTest/test_data/pix6.output
+++ b/src/unit_tests/PIXImporterTest/test_data/pix6.output
@@ -31,7 +31,7 @@ Rule comment: 10 ( global )
 Ruleset: outside_acl_in
 Rule comment: using swatch to automatically 
 Ruleset: outside_acl_in
-Rule comment: block probing ssh connections, so no 
+Rule comment: block probing ssh connections , so no 
 Ruleset: outside_acl_in
 Rule comment: need to limit 
 Ruleset: outside_acl_in
diff --git a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb
new file mode 100644
index 000000000..ab1ce9eef
--- /dev/null
+++ b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb
@@ -0,0 +1,1174 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301538587" id="root">
+  <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
+    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
+    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
+    <AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
+    <ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
+      <ObjectGroup id="stdid16" name="Addresses" comment="" ro="False">
+        <IPv4 id="id2001X88798" name="all-hosts" comment="" ro="False" address="224.0.0.1" netmask="0.0.0.0"/>
+        <IPv4 id="id2002X88798" name="all-routers" comment="" ro="False" address="224.0.0.2" netmask="0.0.0.0"/>
+        <IPv4 id="id2003X88798" name="all DVMRP" comment="" ro="False" address="224.0.0.4" netmask="0.0.0.0"/>
+        <IPv4 id="id2117X88798" name="OSPF (all routers)" comment="RFC2328" ro="False" address="224.0.0.5" netmask="0.0.0.0"/>
+        <IPv4 id="id2128X88798" name="OSPF (designated routers)" comment="RFC2328" ro="False" address="224.0.0.6" netmask="0.0.0.0"/>
+        <IPv4 id="id2430X88798" name="RIP" comment="RFC1723" ro="False" address="224.0.0.9" netmask="0.0.0.0"/>
+        <IPv4 id="id2439X88798" name="EIGRP" comment="" ro="False" address="224.0.0.10" netmask="0.0.0.0"/>
+        <IPv4 id="id2446X88798" name="DHCP server, relay agent" comment="RFC 1884" ro="False" address="224.0.0.12" netmask="0.0.0.0"/>
+        <IPv4 id="id2455X88798" name="PIM" comment="" ro="False" address="224.0.0.13" netmask="0.0.0.0"/>
+        <IPv4 id="id2462X88798" name="RSVP" comment="" ro="False" address="224.0.0.14" netmask="0.0.0.0"/>
+        <IPv4 id="id2469X88798" name="VRRP" comment="RFC3768" ro="False" address="224.0.0.18" netmask="0.0.0.0"/>
+        <IPv4 id="id2777X88798" name="IGMP" comment="" ro="False" address="224.0.0.22" netmask="0.0.0.0"/>
+        <IPv4 id="id2784X88798" name="OSPFIGP-TE" comment="RFC4973" ro="False" address="224.0.0.24" netmask="0.0.0.0"/>
+        <IPv4 id="id3094X88798" name="HSRP" comment="" ro="False" address="224.0.0.102" netmask="0.0.0.0"/>
+        <IPv4 id="id3403X88798" name="mDNS" comment="" ro="False" address="224.0.0.251" netmask="0.0.0.0"/>
+        <IPv4 id="id3410X88798" name="LLMNR" comment="Link-Local Multicast Name Resolution, RFC4795" ro="False" address="224.0.0.252" netmask="0.0.0.0"/>
+        <IPv4 id="id3411X88798" name="Teredo" comment="" ro="False" address="224.0.0.253" netmask="0.0.0.0"/>
+      </ObjectGroup>
+      <ObjectGroup id="stdid17" name="DNS Names" comment="" ro="False"/>
+      <ObjectGroup id="stdid18" name="Address Tables" comment="" ro="False"/>
+      <ObjectGroup id="stdid04" name="Groups" comment="" ro="False">
+        <ObjectGroup id="id3DC75CE8" name="rfc1918-nets" comment="" ro="False">
+          <ObjectRef ref="id3DC75CE5"/>
+          <ObjectRef ref="id3DC75CE6"/>
+          <ObjectRef ref="id3DC75CE7"/>
+        </ObjectGroup>
+        <ObjectGroup id="id3292X75851" name="ipv6 private" comment="These are various ipv6 networks that should not be routed on the Internet&#10;" ro="False">
+          <ObjectRef ref="id2088X75851"/>
+          <ObjectRef ref="id2986X75851"/>
+          <ObjectRef ref="id2383X75851"/>
+        </ObjectGroup>
+      </ObjectGroup>
+      <ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
+        <Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
+          <Interface id="id3D84EED2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
+            <IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
+            <InterfaceOptions/>
+          </Interface>
+          <Management address="192.168.1.10">
+            <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
+            <FWBDManagement enabled="False" identity="" port="-1"/>
+            <PolicyInstallScript arguments="" command="" enabled="False"/>
+          </Management>
+          <HostOptions>
+            <Option name="snmp_contact"></Option>
+            <Option name="snmp_description"></Option>
+            <Option name="snmp_location"></Option>
+            <Option name="use_mac_addr">false</Option>
+            <Option name="use_mac_addr_filter">False</Option>
+          </HostOptions>
+        </Host>
+        <Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
+          <Interface id="id3D84EEE3" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
+            <IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
+            <InterfaceOptions/>
+          </Interface>
+          <Management address="192.168.2.10">
+            <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
+            <FWBDManagement enabled="False" identity="" port="-1"/>
+            <PolicyInstallScript arguments="" command="" enabled="False"/>
+          </Management>
+          <HostOptions>
+            <Option name="snmp_contact"></Option>
+            <Option name="snmp_description"></Option>
+            <Option name="snmp_location"></Option>
+            <Option name="use_mac_addr">false</Option>
+            <Option name="use_mac_addr_filter">False</Option>
+          </HostOptions>
+        </Host>
+      </ObjectGroup>
+      <ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
+        <Network id="id3DC75CEC" name="all multicasts" comment="224.0.0.0/4 - This block, formerly known as the Class D address&#10;space, is allocated for use in IPv4 multicast address assignments.&#10;The IANA guidelines for assignments from this space are described in&#10;[RFC3171].&#10;" ro="False" address="224.0.0.0" netmask="240.0.0.0"/>
+        <Network id="id3F4ECE3E" name="link-local" comment="169.254.0.0/16 - This is the &quot;link local&quot; block.  It is allocated for&#10;communication between hosts on a single link.  Hosts obtain these&#10;addresses by auto-configuration, such as when a DHCP server may not&#10;be found.&#10;" ro="False" address="169.254.0.0" netmask="255.255.0.0"/>
+        <Network id="id3F4ECE3D" name="loopback-net" comment="127.0.0.0/8 - This block is assigned for use as the Internet host&#10;loopback address.  A datagram sent by a higher level protocol to an&#10;address anywhere within this block should loop back inside the host.&#10;This is ordinarily implemented using only 127.0.0.1/32 for loopback,&#10;but no addresses within this block should ever appear on any network&#10;anywhere [RFC1700, page 5].&#10;" ro="False" address="127.0.0.0" netmask="255.0.0.0"/>
+        <Network id="id3DC75CE5" name="net-10.0.0.0" comment="10.0.0.0/8 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918].  Addresses within this&#10;block should not appear on the public Internet." ro="False" address="10.0.0.0" netmask="255.0.0.0"/>
+        <Network id="id3DC75CE7" name="net-172.16.0.0" comment="172.16.0.0/12 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918].  Addresses within this&#10;block should not appear on the public Internet.&#10;" ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
+        <Network id="id3DC75CE6" name="net-192.168.0.0" comment="192.168.0.0/16 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918].  Addresses within this&#10;block should not appear on the public Internet.&#10;" ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
+        <Network id="id3F4ECE3F" name="test-net" comment="192.0.2.0/24 - This block is assigned as &quot;TEST-NET&quot; for use in&#10;documentation and example code.  It is often used in conjunction with&#10;domain names example.com or example.net in vendor and protocol&#10;documentation.  Addresses within this block should not appear on the&#10;public Internet.&#10;" ro="False" address="192.0.2.0" netmask="255.255.255.0"/>
+        <Network id="id3F4ECE40" name="this-net" comment="0.0.0.0/8 - Addresses in this block refer to source hosts on &quot;this&quot;&#10;network.  Address 0.0.0.0/32 may be used as a source address for this&#10;host on this network; other addresses within 0.0.0.0/8 may be used to&#10;refer to specified hosts on this network [RFC1700, page 4]." ro="False" address="0.0.0.0" netmask="255.0.0.0"/>
+        <Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
+        <Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
+        <NetworkIPv6 id="id2088X75851" name="documentation net" comment="RFC3849" ro="False" address="2001:db8::" netmask="32"/>
+        <NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291   Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
+        <NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291  ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
+        <NetworkIPv6 id="id2986X75851" name="experimental ipv6" comment="RFC2928, RFC4773 &#10;&#10;&quot;The block of Sub-TLA IDs assigned to the IANA&#10;(i.e., 2001:0000::/29 - 2001:01F8::/29) is for&#10;assignment for testing and experimental usage to&#10;support activities such as the 6bone, and&#10;for new approaches like exchanges.&quot;  [RFC2928]&#10;&#10;" ro="False" address="2001::" netmask="23"/>
+      </ObjectGroup>
+      <ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
+        <AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
+        <AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
+      </ObjectGroup>
+    </ObjectGroup>
+    <ServiceGroup id="stdid05" name="Services" comment="" ro="False">
+      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
+        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
+        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
+      </CustomService>
+      <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
+        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
+        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
+      </CustomService>
+      <ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
+        <ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
+          <ServiceRef ref="udp-bootpc"/>
+          <ServiceRef ref="udp-bootps"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
+          <ServiceRef ref="udp-DNS"/>
+          <ServiceRef ref="tcp-DNS"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3CB1279B" name="IPSEC" comment="" ro="False">
+          <ServiceRef ref="id3CB12797"/>
+          <ServiceRef ref="ip-IPSEC"/>
+        </ServiceGroup>
+        <ServiceGroup id="sg-NETBIOS" name="NETBIOS" comment="" ro="False">
+          <ServiceRef ref="udp-netbios-dgm"/>
+          <ServiceRef ref="udp-netbios-ns"/>
+          <ServiceRef ref="id3E755609"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3CB131CC" name="PCAnywhere" comment="" ro="False">
+          <ServiceRef ref="id3CB131CA"/>
+          <ServiceRef ref="id3CB131C8"/>
+        </ServiceGroup>
+        <ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
+          <ServiceRef ref="icmp-Time_exceeded"/>
+          <ServiceRef ref="icmp-Time_exceeded_in_transit"/>
+          <ServiceRef ref="icmp-ping_reply"/>
+          <ServiceRef ref="icmp-Unreachables"/>
+        </ServiceGroup>
+        <ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
+          <ServiceRef ref="idE0D27650"/>
+          <ServiceRef ref="idCFE27650"/>
+          <ServiceRef ref="idE0B27650"/>
+          <ServiceRef ref="id1519Z388"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
+          <ServiceRef ref="id3B4FEDA5"/>
+          <ServiceRef ref="id3B4FEDA9"/>
+          <ServiceRef ref="id3B4FEDA7"/>
+          <ServiceRef ref="id3B4FEDAB"/>
+          <ServiceRef ref="id3B4FEDA3"/>
+          <ServiceRef ref="id3B4FEE21"/>
+          <ServiceRef ref="id3B4FEE23"/>
+          <ServiceRef ref="id3E7E3EA2"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3B4FF35E" name="nfs" comment="" ro="False">
+          <ServiceRef ref="id3B4FEE7A"/>
+          <ServiceRef ref="id3B4FEE78"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3B4FEFFA" name="quake" comment="" ro="False">
+          <ServiceRef ref="id3B4FEF7C"/>
+          <ServiceRef ref="id3B4FEF7E"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3D703C9A" name="Real Player" comment="" ro="False">
+          <ServiceRef ref="id3D703C99"/>
+          <ServiceRef ref="id3D703C8B"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3E7E3E95" name="WinNT" comment="" ro="False">
+          <ServiceRef ref="sg-NETBIOS"/>
+          <ServiceRef ref="id3DC8C8BB"/>
+          <ServiceRef ref="id3E7E3D58"/>
+        </ServiceGroup>
+        <ServiceGroup id="id3E7E3E9A" name="Win2000" comment="" ro="False">
+          <ServiceRef ref="id3E7E3E95"/>
+          <ServiceRef ref="udp-DNS"/>
+          <ServiceRef ref="id3DC8C8BC"/>
+          <ServiceRef ref="id3E7E3EA2"/>
+          <ServiceRef ref="id3AECF778"/>
+          <ServiceRef ref="id3D703C90"/>
+          <ServiceRef ref="id3E7E4039"/>
+          <ServiceRef ref="id3E7E403A"/>
+          <ServiceRef ref="id3B4FEDA5"/>
+          <ServiceRef ref="tcp-DNS"/>
+        </ServiceGroup>
+        <ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
+          <ServiceRef ref="id41291784"/>
+          <ServiceRef ref="id41291785"/>
+          <ServiceRef ref="id41291783"/>
+          <ServiceRef ref="id412Z18A9"/>
+        </ServiceGroup>
+      </ServiceGroup>
+      <ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
+        <ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
+        <ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
+        <ICMPService id="icmp-Host_unreach" code="1" type="3" name="host_unreach" comment="" ro="False"/>
+        <ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
+        <ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
+        <ICMPService id="icmp-Port_unreach" code="3" type="3" name="port unreach" comment="Port unreachable" ro="False"/>
+        <ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
+        <ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
+        <ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128" name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
+        <ICMP6Service id="ipv6-icmp-ping_reply" code="0" type="129" name="ipv6 ping reply" comment="IPv6 ping reply" ro="False"/>
+        <ICMP6Service id="ipv6-icmp-routersol" code="0" type="133" name="ipv6 routersol" comment="IPv6 router solicitation" ro="False"/>
+        <ICMP6Service id="ipv6-icmp-routeradv" code="0" type="134" name="ipv6 routeradv" comment="IPv6 router advertisement" ro="False"/>
+        <ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
+        <ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
+        <ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
+        <ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
+        <ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
+        <ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
+        <ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
+        <ICMP6Service id="idE0D27650" code="-1" type="1" name="ipv6 all dest unreachable" comment="All icmpv6 codes for type &quot;destination unreachable&quot;&#10;" ro="False"/>
+        <ICMP6Service id="idCFE27660" code="-1" type="-1" name="ipv6 any ICMP6" comment="any ICMPv6" ro="False"/>
+      </ServiceGroup>
+      <ServiceGroup id="stdid06" name="IP" comment="" ro="False">
+        <IPService id="id3CB12797" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False" name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
+        <IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
+        <IPService id="ip-RR" fragm="False" lsrr="False" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False" name="RR" comment="Route recording packets" ro="False"/>
+        <IPService id="ip-SRR" fragm="False" lsrr="True" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False" name="SRR" comment="All sorts of Source Routing Packets" ro="False"/>
+        <IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
+        <IPService id="id3D703C8E" fragm="False" lsrr="False" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False" name="SKIP" comment="IPSEC Simple Key Management for Internet Protocols" ro="False"/>
+        <IPService id="id3D703C8F" fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False" name="GRE" comment="Generic Routing Encapsulation&#10;" ro="False"/>
+        <IPService id="id3D703C95" fragm="False" lsrr="False" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False" name="vrrp" comment="Virtual Router Redundancy Protocol" ro="False"/>
+        <IPService id="ip-IGMP" fragm="False" lsrr="False" protocol_num="2" rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="IGMP" comment="Internet Group Management Protocol, Version 3, RFC 3376" ro="False"/>
+        <IPService id="ip-PIM" fragm="False" lsrr="False" protocol_num="103" rr="False" rtralt="False" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="PIM" comment="Protocol Independent Multicast - Dense Mode (PIM-DM), RFC 3973, or Protocol Independent Multicast-Sparse Mode (PIM-SM) RFC 2362" ro="False"/>
+      </ServiceGroup>
+      <ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
+        <TCPService id="tcp-ALL_TCP_Masqueraded" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ALL TCP Masqueraded" comment="ipchains used to use this range of port numbers for masquerading. " ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="id3D703C94" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="AOL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
+        <TCPService id="tcp-All_TCP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="id3CB131C4" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Citrix-ICA" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1494" dst_range_end="1494"/>
+        <TCPService id="id3D703C91" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-Admin" comment="Entrust CA Administration Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="709" dst_range_end="709"/>
+        <TCPService id="id3D703C92" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-KeyMgmt" comment="Entrust CA Key Management Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="710" dst_range_end="710"/>
+        <TCPService id="id3AEDBEAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="H323" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
+        <TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
+        <TCPService id="id3E7E4039" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3268" dst_range_end="3268"/>
+        <TCPService id="id3E7E403A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC SSL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3269" dst_range_end="3269"/>
+        <TCPService id="id3D703C83" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="OpenWindows" comment="Open Windows" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2000" dst_range_end="2000"/>
+        <TCPService id="id3CB131C8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="PCAnywhere-data" comment="data channel for PCAnywhere v7.52 and later " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5631" dst_range_end="5631"/>
+        <TCPService id="id3D703C8B" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Real-Audio" comment="RealNetworks PNA Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7070" dst_range_end="7070"/>
+        <TCPService id="id3D703C93" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="RealSecure" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2998" dst_range_end="2998"/>
+        <TCPService id="id3DC8C8BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="SMB" comment="SMB over TCP (without NETBIOS)&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="445" dst_range_end="445"/>
+        <TCPService id="id3D703C8D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TACACSplus" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="49" dst_range_end="49"/>
+        <TCPService id="id3D703C84" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TCP high ports" comment="TCP high ports" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
+        <TCPService id="id3E7E3D58" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="WINS replication" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="42" dst_range_end="42"/>
+        <TCPService id="id3D703C82" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="X11" comment="X Window System" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6000" dst_range_end="6063"/>
+        <TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
+        <TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
+        <TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
+        <TCPService id="id3B4FEDA3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="eklogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
+        <TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
+        <TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
+        <TCPService id="tcp-FTP_data" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data" comment="FTP data channel.&#10;  Note: FTP protocol does not really require server to use source port 20 for the data channel, &#10;  but many ftp server implementations do so." ro="False" src_range_start="20" src_range_end="20" dst_range_start="1024" dst_range_end="65535"/>
+        <TCPService id="id3E7553BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data passive" comment="FTP data channel for passive mode transfers&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="20" dst_range_end="20"/>
+        <TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
+        <TCPService id="id3B4FED69" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="https" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="443" dst_range_end="443"/>
+        <TCPService id="id3AECF776" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="143" dst_range_end="143"/>
+        <TCPService id="id3B4FED9F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imaps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="993" dst_range_end="993"/>
+        <TCPService id="id3B4FF13C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
+        <TCPService id="id3E7E3EA2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
+        <TCPService id="id3B4FEE21" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="klogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="543" dst_range_end="543"/>
+        <TCPService id="id3B4FEE23" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ksh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="544" dst_range_end="544"/>
+        <TCPService id="id3AECF778" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="389" dst_range_end="389"/>
+        <TCPService id="id3D703C90" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldaps" comment="Lightweight Directory Access Protocol over TLS/SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="636" dst_range_end="636"/>
+        <TCPService id="id3B4FF000" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="linuxconf" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
+        <TCPService id="id3D703C97" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="lpr" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
+        <TCPService id="id3DC8C8BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
+        <TCPService id="id3D703C98" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ms-sql" comment="Microsoft SQL Server" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1433" dst_range_end="1433"/>
+        <TCPService id="id3B4FEEEE" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="mysql" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3306" dst_range_end="3306"/>
+        <TCPService id="id3E755609" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
+        <TCPService id="id3B4FEE7A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
+        <TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
+        <TCPService id="id3E7553BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntps" comment="NNTP over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="563" dst_range_end="563"/>
+        <TCPService id="id3B4FEE1D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="110" dst_range_end="110"/>
+        <TCPService id="id3E7553BA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3s" comment="POP-3 over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="995" dst_range_end="995"/>
+        <TCPService id="id3B4FF0EA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="postgres" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5432" dst_range_end="5432"/>
+        <TCPService id="id3AECF782" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="printer" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
+        <TCPService id="id3B4FEF7C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
+        <TCPService id="id3AECF77A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rexec" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="512" dst_range_end="512"/>
+        <TCPService id="id3AECF77C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rlogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
+        <TCPService id="id3AECF77E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rshell" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
+        <TCPService id="id3D703C99" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtsp" comment="Real Time Streaming Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="554" dst_range_end="554"/>
+        <TCPService id="id3B4FEF34" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rwhois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4321" dst_range_end="4321"/>
+        <TCPService id="id3D703C89" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="securidprop" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5510" dst_range_end="5510"/>
+        <TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
+        <TCPService id="id3B4FF04C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="465" dst_range_end="465"/>
+        <TCPService id="id3B4FEE76" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="socks" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
+        <TCPService id="id3D703C87" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sqlnet1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1521" dst_range_end="1521"/>
+        <TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
+        <TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
+        <TCPService id="id3AEDBE00" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
+        <TCPService id="tcp-TCP-SYN" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="tcp-syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
+        <TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
+        <TCPService id="id3CB131C6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="winterm" comment="Windows Terminal Services" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3389" dst_range_end="3389"/>
+        <TCPService id="id3B4FF1B8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7100" dst_range_end="7100"/>
+        <TCPService id="id3C685B2B" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan - full" comment="This service object matches TCP packet with all six flags set." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="id4127E949" ack_flag="False" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a  &quot;christmas scan&quot; as defined in snort rules. Nmap can generate this scan, too." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="id4127EA72" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
+        <TCPService id="id4127EBAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="distcc" comment="distributed compiler" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3632" dst_range_end="3632"/>
+        <TCPService id="id4127ECF1" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvspserver" comment="CVS client/server operations" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2401" dst_range_end="2401"/>
+        <TCPService id="id4127ECF2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvsup" comment="CVSup file transfer/John Polstra/FreeBSD" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5999" dst_range_end="5999"/>
+        <TCPService id="id4127ED5E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="afp" comment="AFP (Apple file sharing) over TCP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="548" dst_range_end="548"/>
+        <TCPService id="id4127EDF6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="whois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="43" dst_range_end="43"/>
+        <TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
+        <TCPService id="id4127F146" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius" comment="Radius protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1812" dst_range_end="1812"/>
+        <TCPService id="id4127F147" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius acct" comment="Radius Accounting" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1813" dst_range_end="1813"/>
+        <TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
+        <TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
+        <TCPService id="id41291787" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-0" comment="Java VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5800" dst_range_end="5800"/>
+        <TCPService id="id41291788" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-0" comment="Regular VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5900" dst_range_end="5900"/>
+        <TCPService id="id41291887" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-1" comment="Java VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5801" dst_range_end="5801"/>
+        <TCPService id="id41291888" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-1" comment="Regular VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5901" dst_range_end="5901"/>
+        <TCPService id="id463FE5FE11008" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP established" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called &quot;established&quot;.&#10;&#10;Note that you can use this object only in the policy rules of the firewall that supports this option.&#10;&#10;If you need to match reply packets for a specific TCP service and wish to use option &quot;established&quot;, make a copy of this object and set source port range to match the service.&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="id1577X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtmp" comment="Real Time Messaging Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1935" dst_range_end="1935"/>
+        <TCPService id="id1590X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client" comment="Extensible Messaging and Presence Protocol (XMPP)   RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5222" dst_range_end="5222"/>
+        <TCPService id="id1609X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server" comment="Extensible Messaging and Presence Protocol (XMPP)   RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5269" dst_range_end="5269"/>
+        <TCPService id="id1622X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client-ssl" comment="Extensible Messaging and Presence Protocol (XMPP)   RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5223" dst_range_end="5223"/>
+        <TCPService id="id1631X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server-ssl" comment="Extensible Messaging and Presence Protocol (XMPP)   RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5270" dst_range_end="5270"/>
+        <TCPService id="id1644X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nrpe" comment="NRPE add-on for Nagios  http://www.nagios.org/&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5666" dst_range_end="5666"/>
+      </ServiceGroup>
+      <ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
+        <UDPService id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" comment="ipchains used to use this port range for masqueraded packets" ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
+        <UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+        <UDPService id="id3D703C96" name="ICQ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4000"/>
+        <UDPService id="id3CB129D2" name="IKE" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="500" dst_range_end="500"/>
+        <UDPService id="id3CB131CA" name="PCAnywhere-status" comment="status channel for PCAnywhere v7.52 and later" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5632" dst_range_end="5632"/>
+        <UDPService id="id3AED0D6B" name="RIP" comment="routing protocol RIP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="520" dst_range_end="520"/>
+        <UDPService id="id3D703C8C" name="Radius" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1645" dst_range_end="1645"/>
+        <UDPService id="id3D703C85" name="UDP high ports" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
+        <UDPService id="id3D703C86" name="Who" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
+        <UDPService id="id3B4FEDA1" name="afs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7000" dst_range_end="7009"/>
+        <UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
+        <UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
+        <UDPService id="id3AEDBE70" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
+        <UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
+        <UDPService id="id3D703C8A" name="interphone" comment="VocalTec Internet Phone" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22555" dst_range_end="22555"/>
+        <UDPService id="id3B4FEDA5" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
+        <UDPService id="id3B4FEDA9" name="kerberos-adm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="749" dst_range_end="750"/>
+        <UDPService id="id3B4FEDA7" name="kpasswd" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="464" dst_range_end="464"/>
+        <UDPService id="id3B4FEDAB" name="krb524" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4444" dst_range_end="4444"/>
+        <UDPService id="id3F865B0D" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
+        <UDPService id="udp-netbios-dgm" name="netbios-dgm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="138" dst_range_end="138"/>
+        <UDPService id="udp-netbios-ns" name="netbios-ns" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="137" dst_range_end="137"/>
+        <UDPService id="udp-netbios-ssn" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
+        <UDPService id="id3B4FEE78" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
+        <UDPService id="udp-ntp" name="ntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="123" dst_range_end="123"/>
+        <UDPService id="id3B4FEF7E" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
+        <UDPService id="id3D703C88" name="secureid-udp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="1024"/>
+        <UDPService id="udp-SNMP" name="snmp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="161" dst_range_end="161"/>
+        <UDPService id="id3AED0D69" name="snmp-trap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="162" dst_range_end="162"/>
+        <UDPService id="id3AEDBE19" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
+        <UDPService id="id3AECF780" name="syslog" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
+        <UDPService id="id3AED0D67" name="tftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="69" dst_range_end="69"/>
+        <UDPService id="id3AED0D8C" name="traceroute" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="33434" dst_range_end="33524"/>
+        <UDPService id="id4127EA73" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
+        <UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
+        <UDPService id="id41291883" name="OpenVPN" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1194" dst_range_end="1194"/>
+      </ServiceGroup>
+      <ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
+        <CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
+          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+        </CustomService>
+        <CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC.&#10;Works on iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/&#10;" ro="False" protocol="any" address_family="ipv4">
+          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+        </CustomService>
+        <CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and  requires patch-o-matic &#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
+          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+        </CustomService>
+        <CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
+          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+        </CustomService>
+        <CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
+          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+        </CustomService>
+      </ServiceGroup>
+      <ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
+      <ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>
+    </ServiceGroup>
+    <ObjectGroup id="stdid12" name="Firewalls" comment="" ro="False"/>
+    <ObjectGroup id="stdid21" name="Clusters" comment="" ro="False"/>
+    <IntervalGroup id="stdid11" name="Time" comment="" ro="False">
+      <Interval id="int-workhours" days_of_week="1,2,3,4,5" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1" name="workhours" comment="any day, 9:00am through 5:00pm" ro="False"/>
+      <Interval id="int-weekends" days_of_week="6,0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="weekends" comment="weekends: Saturday 0:00 through Sunday 23:59 " ro="False"/>
+      <Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
+      <Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
+      <Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
+    </IntervalGroup>
+  </Library>
+  <Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
+  <Library id="id0" name="User" comment="" ro="False">
+    <ObjectGroup id="id1" name="Objects" comment="" ro="False">
+      <ObjectGroup id="id2" name="Addresses" comment="" ro="False">
+        <IPv4 id="id3" name="h-10.1.1.206" comment="Created during import of  line 72" ro="False" address="10.1.1.206" netmask="255.255.255.255"/>
+        <IPv4 id="id4" name="h-10.1.1.207" comment="Created during import of  line 73" ro="False" address="10.1.1.207" netmask="255.255.255.255"/>
+        <IPv4 id="id5" name="h-172.17.1.253" comment="Created during import of  line 75" ro="False" address="172.17.1.253" netmask="255.255.255.255"/>
+        <IPv4 id="id6" name="h-172.17.1.254" comment="Created during import of  line 76" ro="False" address="172.17.1.254" netmask="255.255.255.255"/>
+        <IPv4 id="id7" name="h-192.0.2.253" comment="Created during import of  line 77" ro="False" address="192.0.2.253" netmask="255.255.255.255"/>
+        <IPv4 id="id8" name="h-192.0.2.254" comment="Created during import of  line 78" ro="False" address="192.0.2.254" netmask="255.255.255.255"/>
+        <IPv4 id="id9" name="h-10.0.0.253" comment="Created during import of  line 80" ro="False" address="10.0.0.253" netmask="255.255.255.255"/>
+        <IPv4 id="id10" name="h-10.0.0.254" comment="Created during import of  line 81" ro="False" address="10.0.0.254" netmask="255.255.255.255"/>
+        <IPv4 id="id11" name="h-10.1.1.43" comment="Created during import of  line 106" ro="False" address="10.1.1.43" netmask="255.255.255.255"/>
+        <IPv4 id="id12" name="h-10.0.0.16" comment="Created during import of  line 136" ro="False" address="10.0.0.16" netmask="255.255.255.255"/>
+        <IPv4 id="id13" name="h-10.1.1.16" comment="Created during import of  line 136" ro="False" address="10.1.1.16" netmask="255.255.255.255"/>
+        <IPv4 id="id14" name="h-10.0.0.100" comment="Created during import of  line 137" ro="False" address="10.0.0.100" netmask="255.255.255.255"/>
+        <IPv4 id="id15" name="h-10.1.1.100" comment="Created during import of  line 137" ro="False" address="10.1.1.100" netmask="255.255.255.255"/>
+        <IPv4 id="id16" name="h-10.1.1.111" comment="Created during import of  line 138" ro="False" address="10.1.1.111" netmask="255.255.255.255"/>
+        <IPv4 id="id17" name="h-10.5.80.16" comment="Created during import of  line 139" ro="False" address="10.5.80.16" netmask="255.255.255.255"/>
+        <IPv4 id="id18" name="h-10.5.80.200" comment="Created during import of  line 140" ro="False" address="10.5.80.200" netmask="255.255.255.255"/>
+        <IPv4 id="id19" name="h-10.10.1.200" comment="Created during import of  line 140" ro="False" address="10.10.1.200" netmask="255.255.255.255"/>
+        <IPv4 id="id20" name="h-192.0.2.100" comment="Created during import of  line 193" ro="False" address="192.0.2.100" netmask="255.255.255.255"/>
+      </ObjectGroup>
+      <ObjectGroup id="id21" name="DNS Names" comment="" ro="False"/>
+      <ObjectGroup id="id22" name="Address Tables" comment="" ro="False"/>
+      <ObjectGroup id="id23" name="Groups" comment="" ro="False">
+        <ObjectGroup id="id24" name="outside.id12051X6282.src.net.0" comment="Created during import of  line 71" ro="False">
+          <ObjectRef ref="id3"/>
+          <ObjectRef ref="id4"/>
+        </ObjectGroup>
+        <ObjectGroup id="id27" name="outside.id12051X6282.src.net.1" comment="Created during import of  line 74" ro="False">
+          <ObjectRef ref="id5"/>
+          <ObjectRef ref="id6"/>
+          <ObjectRef ref="id7"/>
+          <ObjectRef ref="id8"/>
+        </ObjectGroup>
+        <ObjectGroup id="id32" name="outside.id12051X6282.src.net.2" comment="Created during import of  line 79" ro="False">
+          <ObjectRef ref="id9"/>
+          <ObjectRef ref="id10"/>
+        </ObjectGroup>
+        <ObjectGroup id="id35" name="network-zone-inside" comment="Created during import of  line 83" ro="False">
+          <ObjectRef ref="id41"/>
+        </ObjectGroup>
+        <ObjectGroup id="id37" name="network-zone-dmz20" comment="Created during import of  line 85" ro="False">
+          <ObjectRef ref="id42"/>
+        </ObjectGroup>
+      </ObjectGroup>
+      <ObjectGroup id="id39" name="Hosts" comment="" ro="False"/>
+      <ObjectGroup id="id40" name="Networks" comment="" ro="False">
+        <Network id="id41" name="net-10.1.1.0/255.255.255.0" comment="Created during import of  line 84" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
+        <Network id="id42" name="net-10.0.0.0/255.255.255.0" comment="Created during import of  line 86" ro="False" address="10.0.0.0" netmask="255.255.255.0"/>
+        <Network id="id43" name="net-10.0.0.16/255.255.255.240" comment="Created during import of  line 136" ro="False" address="10.0.0.16" netmask="255.255.255.240"/>
+        <Network id="id44" name="net-10.5.80.16/255.255.255.240" comment="Created during import of  line 139" ro="False" address="10.5.80.16" netmask="255.255.255.240"/>
+        <Network id="id45" name="net-10.1.2.0/255.255.255.0" comment="Created during import of  line 192" ro="False" address="10.1.2.0" netmask="255.255.255.0"/>
+      </ObjectGroup>
+      <ObjectGroup id="id46" name="Address Ranges" comment="" ro="False"/>
+    </ObjectGroup>
+    <ServiceGroup id="id47" name="Services" comment="" ro="False">
+      <ServiceGroup id="id48" name="Groups" comment="" ro="False"/>
+      <ServiceGroup id="id49" name="ICMP" comment="" ro="False"/>
+      <ServiceGroup id="id50" name="IP" comment="" ro="False">
+        <IPService id="id51" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" rtralt_value="False" short_fragm="False" ssrr="False" tos="" ts="False" name="ip" comment="Created during import of  line 89" ro="False"/>
+      </ServiceGroup>
+      <ServiceGroup id="id52" name="TCP" comment="" ro="False">
+        <TCPService id="id53" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 80:80 / 0:0" comment="Created during import of  line 106" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="id54" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 80:80" comment="Created during import of  line 139" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
+        <TCPService id="id55" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 8080:8080" comment="Created during import of  line 139" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8080" dst_range_end="8080"/>
+        <TCPService id="id56" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 0:0" comment="Created during import of  line 142" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+      </ServiceGroup>
+      <ServiceGroup id="id57" name="UDP" comment="" ro="False">
+        <UDPService id="id58" name="udp 0:0 / 53:53" comment="Created during import of  line 93" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
+      </ServiceGroup>
+      <ServiceGroup id="id59" name="Users" comment="" ro="False"/>
+      <ServiceGroup id="id60" name="Custom" comment="" ro="False"/>
+      <ServiceGroup id="id61" name="TagServices" comment="" ro="False"/>
+    </ServiceGroup>
+    <ObjectGroup id="id62" name="Firewalls" comment="" ro="False">
+      <Firewall id="id63" host_OS="pix_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pix" version="7.0" name="pix1" comment="Created during import of  line 6" ro="False">
+        <NAT id="id271" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <NATRule id="id274" disabled="False" group="" position="0" action="Translate" comment="Created during import of  line 136">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id43"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id13"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id425"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id292" disabled="False" group="" position="1" action="Translate" comment="Created during import of  line 137">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id14"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id15"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id425"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id310" disabled="False" group="" position="2" action="Translate" comment="Created during import of  line 138">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id425"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id16"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id425"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id328" disabled="False" group="" position="3" action="Translate" comment="Created during import of  line 139">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id44"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="id54"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id13"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="id55"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id422"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id346" disabled="False" group="" position="4" action="Translate" comment="Created during import of  line 140">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id18"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="id54"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id19"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="id55"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id422"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id364" disabled="False" group="" position="5" action="Translate" comment="Created during import of  line 142">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id422"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="id54"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id11"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="id56"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id422"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id382" disabled="False" group="" position="6" action="Translate" comment="Created during import of  line 143">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id422"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="id54"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id11"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="id56"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id422"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id400" disabled="False" group="" position="7" action="Translate" comment="Created during import of  line 144">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id422"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id11"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="id422"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="id428"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <RuleSetOptions/>
+        </NAT>
+        <Policy id="id65" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id67" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Imported from ssh_commands_outside&#10;Created during import of  line 193">
+            <Src neg="False">
+              <ObjectRef ref="id20"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id63"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id422"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id79" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of  line 191">
+            <Src neg="False">
+              <ObjectRef ref="id41"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id63"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id91" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of  line 192">
+            <Src neg="False">
+              <ObjectRef ref="id45"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id63"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id103" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of  line 98">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id24"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id115" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of  line 99">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id27"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id127" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of  line 100">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id32"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id139" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="Imported from inside_in&#10;Created during import of  line 101">
+            <Src neg="False">
+              <ObjectRef ref="id41"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id151" disabled="False" group="" log="True" position="7" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of  line 102">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id163" disabled="False" group="" log="True" position="8" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of  line 93">
+            <Src neg="False">
+              <ObjectRef ref="id24"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id41"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id58"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id175" disabled="False" group="" log="True" position="9" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of  line 94">
+            <Src neg="False">
+              <ObjectRef ref="id27"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id41"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id58"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id187" disabled="False" group="" log="True" position="10" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of  line 95">
+            <Src neg="False">
+              <ObjectRef ref="id32"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id41"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id58"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id199" disabled="False" group="" log="False" position="11" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of  line 96">
+            <Src neg="False">
+              <ObjectRef ref="id41"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id211" disabled="False" group="" log="True" position="12" action="Deny" direction="Outbound" comment="Imported from inside_out&#10;Created during import of  line 97">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id428"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id223" disabled="False" group="" log="True" position="13" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of  line 89">
+            <Src neg="False">
+              <ObjectRef ref="id24"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id422"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id235" disabled="False" group="" log="True" position="14" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of  line 90">
+            <Src neg="False">
+              <ObjectRef ref="id27"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id422"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id247" disabled="False" group="" log="True" position="15" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of  line 91">
+            <Src neg="False">
+              <ObjectRef ref="id32"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id422"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id259" disabled="False" group="" log="True" position="16" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of  line 92">
+            <Src neg="False">
+              <ObjectRef ref="id41"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id422"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="log_level">warning</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Policy id="id431" name="id12251X6282.0" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
+          <PolicyRule id="id433" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="Created during import of  line 104">
+            <Src neg="False">
+              <ObjectRef ref="id41"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id51"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Policy id="id445" name="id12594X2458.0" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
+          <PolicyRule id="id447" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="Created during import of  line 106">
+            <Src neg="False">
+              <ObjectRef ref="id11"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id53"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id418" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
+        </Routing>
+        <Interface id="id420" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet0" comment="Created during import of  line 16" ro="False">
+          <InterfaceOptions/>
+          <Interface id="id422" dedicated_failover="False" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="Created during import of  line 21" ro="False">
+            <IPv4 id="id424" name="pix1:Ethernet0.101:ip" comment="Created during import of  line 24" ro="False" address="192.0.2.253" netmask="255.255.255.0"/>
+            <InterfaceOptions>
+              <Option name="type">8021q</Option>
+              <Option name="vlan_id">101</Option>
+            </InterfaceOptions>
+          </Interface>
+          <Interface id="id425" dedicated_failover="False" dyn="False" label="dmz20" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="Created during import of  line 27" ro="False">
+            <IPv4 id="id427" name="pix1:Ethernet0.102:ip" comment="Created during import of  line 30" ro="False" address="10.0.0.253" netmask="255.255.255.0"/>
+            <InterfaceOptions>
+              <Option name="type">8021q</Option>
+              <Option name="vlan_id">102</Option>
+            </InterfaceOptions>
+          </Interface>
+        </Interface>
+        <Interface id="id428" dedicated_failover="False" dyn="False" label="inside" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="Created during import of  line 33" ro="False">
+          <IPv4 id="id429" name="pix1:Ethernet1:ip" comment="Created during import of  line 37" ro="False" address="10.1.1.206" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <FirewallOptions>
+          <Option name="pix_add_clear_statements">true</Option>
+          <Option name="pix_assume_fw_part_of_any">true</Option>
+          <Option name="pix_default_logint">300</Option>
+          <Option name="pix_default_loglevel">info</Option>
+          <Option name="pix_emblem_log_format">false</Option>
+          <Option name="pix_emulate_out_acl">true</Option>
+          <Option name="pix_floodguard">true</Option>
+          <Option name="pix_generate_out_acl">true</Option>
+          <Option name="pix_include_comments">true</Option>
+          <Option name="pix_route_dnat_supported">true</Option>
+          <Option name="pix_rule_syslog_settings">false</Option>
+          <Option name="pix_security_fragguard_supported">true</Option>
+          <Option name="pix_syslog_device_id_supported">false</Option>
+          <Option name="pix_use_acl_remarks">true</Option>
+        </FirewallOptions>
+      </Firewall>
+    </ObjectGroup>
+    <ObjectGroup id="id459" name="Clusters" comment="" ro="False"/>
+    <IntervalGroup id="id460" name="Time" comment="" ro="False"/>
+  </Library>
+</FWObjectDatabase>
diff --git a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output
new file mode 100644
index 000000000..ed5a39fe9
--- /dev/null
+++ b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output
@@ -0,0 +1,63 @@
+Version: 7.2
+Host name: pix1
+Parser warning: "names" section detected. Import of configuration that uses "names" is not supported at this time
+Name 1.2.3.4 gw
+Name 192.168.3.0 fake_network
+Name 192.168.4.1 inside_ip
+New interface: Ethernet0
+New interface: Ethernet0.101
+Interface parameters: outside  
+Interface label: outside
+Interface address: 192.0.2.253/255.255.255.0
+New interface: Ethernet0.102
+Interface parameters: dmz20  
+Interface label: dmz20
+Interface address: 10.0.0.253/255.255.255.0
+Parser warning: failover IP detected. Failover is not supported by import at this time
+New interface: Ethernet1
+Interface parameters: inside  
+Interface label: inside
+Interface address: 10.1.1.206/255.255.255.0
+New interface: Ethernet2
+Warning: interface Ethernet2 was not imported because it is in "shutdown" mode
+New interface: Ethernet3
+Warning: interface Ethernet3 was not imported because it is in "shutdown" mode
+New interface: Ethernet4
+Warning: interface Ethernet4 was not imported because it is in "shutdown" mode
+New interface: Ethernet5
+Warning: interface Ethernet5 was not imported because it is in "shutdown" mode
+New interface: Ethernet6
+Warning: interface Ethernet6 was not imported because it is in "shutdown" mode
+Object Group (network) outside.id12051X6282.src.net.0Object Group (network) outside.id12051X6282.src.net.1Object Group (network) outside.id12051X6282.src.net.2Object Group (network) network-zone-insideObject Group (network) network-zone-dmz20Ruleset: outside_in
+Ruleset: outside_in
+Ruleset: outside_in
+Ruleset: outside_in
+Ruleset: inside_out
+Ruleset: inside_out
+Ruleset: inside_out
+Ruleset: inside_out
+Ruleset: inside_out
+Ruleset: inside_in
+Ruleset: inside_in
+Ruleset: inside_in
+Ruleset: inside_in
+Ruleset: inside_in
+Ruleset: id12251X6282.0
+Ruleset: id12594X2458.0
+Ruleset: nat
+Ruleset: nat
+Ruleset: nat
+Ruleset: nat
+Ruleset: nat
+Ruleset: nat
+Ruleset: nat
+Ruleset: nat
+Interface Ethernet0.101 ruleset outside_in direction 'in' 
+Interface Ethernet1 ruleset inside_in direction 'in' 
+Interface Ethernet1 ruleset inside_out direction 'out' 
+Ruleset: ssh_commands_inside
+Interface Ethernet1 ruleset ssh_commands_inside direction 'in' 
+Ruleset: ssh_commands_inside
+Interface Ethernet1 ruleset ssh_commands_inside direction 'in' 
+Ruleset: ssh_commands_outside
+Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in' 
diff --git a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test
index 0841f0a99..8380f7ec4 100644
--- a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test
+++ b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test
@@ -38,6 +38,7 @@ interface Ethernet1
  ip address 10.1.1.206 255.255.255.0 
 !
 interface Ethernet2
+ shutdown
  description LAN/STATE Failover Interface
  speed 10
 !
@@ -78,6 +79,13 @@ object-group network outside.id12051X6282.src.net.1
 object-group network outside.id12051X6282.src.net.2
  network-object host 10.0.0.253
  network-object host 10.0.0.254
+
+object-group network network-zone-inside
+ network-object 10.1.1.0 255.255.255.0
+object-group network network-zone-dmz20
+ network-object 10.0.0.0 255.255.255.0
+
+
 access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.0 any log warnings 
 access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.1 any log warnings 
 access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.2 any log warnings 
@@ -92,10 +100,10 @@ access-list inside_in extended deny ip any object-group outside.id12051X6282.src
 access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.2 log warnings 
 access-list inside_in extended permit ip 10.1.1.0 255.255.255.0 any 
 access-list inside_in extended deny ip any any log warnings 
+
 access-list id12251X6282.0 extended permit ip 10.1.1.0 255.255.255.0 any 
 
-access-group inside_in in interface inside
-access-group outside_in in interface outside
+access-list id12594X2458.0 permit tcp host 10.1.1.43 eq www any 
 
 pager lines 24
 logging enable
@@ -120,12 +128,28 @@ failover link failover Ethernet2
 failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254
 no asdm history enable
 arp timeout 14400
-nat-control
-global (outside) 1 interface
-nat (inside) 1 access-list id12251X6282.0
+
+! nat-control
+! global (outside) 1 interface
+! nat (inside) 1 access-list id12251X6282.0
+  
+static (inside,dmz20) 10.0.0.16 10.1.1.16 netmask 255.255.255.240
+static (inside,dmz20) 10.0.0.100 10.1.1.100 netmask 255.255.255.255
+static (inside,dmz20) interface 10.1.1.111
+static (inside,outside) tcp 10.5.80.16 80 10.1.1.16 8080  netmask 255.255.255.240 0 0
+static (inside,outside) tcp 10.5.80.200 80 10.10.1.200 8080  netmask 255.255.255.255 0 0
+
+static (inside,outside) tcp interface www access-list id12594X2458.0 0 0 
+static (inside,outside) tcp interface 80 access-list id12594X2458.0 0 0 
+static (inside,outside) interface access-list id12594X2458.0 0 0 
+
+
+
 access-group outside_in in interface outside
 access-group inside_in in interface inside
 access-group inside_out out interface inside
+
+
 route inside 192.168.10.0 255.255.255.0 10.1.1.254 1
 route inside 10.1.2.0 255.255.255.0 10.1.1.201 1
 timeout xlate 3:00:00
diff --git a/src/unit_tests/PIXImporterTest/test_data/pix7.output b/src/unit_tests/PIXImporterTest/test_data/pix7.output
index dfe34d154..da6fa5faf 100644
--- a/src/unit_tests/PIXImporterTest/test_data/pix7.output
+++ b/src/unit_tests/PIXImporterTest/test_data/pix7.output
@@ -48,7 +48,6 @@ Interface Ethernet0.101 ruleset outside_in direction 'in'
 Interface Ethernet0.101 ruleset outside_in direction 'in' 
 Interface Ethernet1 ruleset inside_in direction 'in' 
 Interface Ethernet1 ruleset inside_out direction 'out' 
-Parser error: line 163:5: unexpected token: scopy
 Ruleset: ssh_commands_inside
 Interface Ethernet1 ruleset ssh_commands_inside direction 'in' 
 Ruleset: ssh_commands_inside