see #1959 ASA Policy - ranges are broken into composite network instead of using range command

doc/ChangeLog

@@ -1,5 +1,24 @@
 2011-01-19  vadim  <vadim@netcitadel.com>
 
+	* PolicyCompiler_pix.cpp (compile): See #1959 "ASA Policy - ranges
+	are broken into composite network instead of using range command."
+	Added support for address ranges using named network object with
+	parameter "range" for ASA 8.3 and later. NOTE: if a network or ip
+	address object is used in a nat rule for ASA 8.3, a named object
+	has to be created for it since ASA 8.3 does not accept ip
+	addresses or subnets in "nat" commands. In the situation like
+	this, if the same address or network object is used in any Policy
+	rule, the same named object will be used in the generated
+	access-lists command.
+
+	* NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions):
+	see #1959 Moved generation of the code that defines named objects
+	to class NamedObjectManager. This allows me to put all named
+	object commands on top of the generated policy, nat and routing
+	configurations and make sure each object is defined only once.
+	Still need to do #1963 - move code that generates commands to
+	define object-groups to class NamedObjectManager.
+
 	* NATCompiler_asa8.cpp (processNext): see #1954 "ASA NAT -
 	generate warning if nat rule is split and one of the resulting nat
 	rules have the same real interface and mapped interface". Compiler

src/cisco_lib/CompilerDriver_iosacl_run.cpp

@@ -318,11 +318,15 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
             all_errors.push_front(getErrors("").c_str());
         }
 
+        system_configuration_script +=
+            named_object_manager.getNamedObjectsDefinitions();
 
         if (single_rule_compile_on)
         {
             return formSingleRuleCompileOutput(
-                QString::fromUtf8((policy_script + routing_script).c_str()));
+                QString::fromUtf8(
+                    (named_object_manager.getNamedObjectsDefinitions() +
+                     policy_script + routing_script).c_str()));
         }
 
         QString script_buffer = assembleFwScript(

src/cisco_lib/CompilerDriver_pix_run.cpp

@@ -450,6 +450,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
         }
 
         system_configuration_script = oscnf->getCompiledScript();
+        system_configuration_script +=
+            named_object_manager.getNamedObjectsDefinitions();
         policy_script = c->getCompiledScript();
         nat_script = n->getCompiledScript();
         routing_script = r->getCompiledScript();
@@ -468,7 +470,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
         {
             return formSingleRuleCompileOutput(
                 QString::fromUtf8(
-                    (policy_script + nat_script + routing_script).c_str()));
+                    (named_object_manager.getNamedObjectsDefinitions() +
+                     policy_script + nat_script + routing_script).c_str()));
         }
 
         ofname = getAbsOutputFileName(ofname);

src/cisco_lib/CompilerDriver_procurve_acl_run.cpp

@@ -305,11 +305,15 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
             all_errors.push_front(getErrors("").c_str());
         }
 
+        system_configuration_script +=
+            named_object_manager.getNamedObjectsDefinitions();
 
         if (single_rule_compile_on)
         {
             return formSingleRuleCompileOutput(
-                QString::fromUtf8((policy_script + routing_script).c_str()));
+                QString::fromUtf8(
+                    (named_object_manager.getNamedObjectsDefinitions() +
+                     policy_script + routing_script).c_str()));
         }
 
         QString script_buffer = assembleFwScript(

src/cisco_lib/NamedObjectsAndGroupsSupport.cpp

@@ -42,6 +42,7 @@
 #include "fwbuilder/Management.h"
 #include "fwbuilder/Resources.h"
 #include "fwbuilder/AddressTable.h"
+#include "fwbuilder/AddressRange.h"
 #include "fwbuilder/Firewall.h"
 
 #include "fwcompiler/Compiler.h"
@@ -104,6 +105,19 @@ NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj)
     return named_objects[obj->getId()];
 }
 
+string NamedObjectManager::getNamedObjectsDefinitions()
+{
+    QStringList output;
+    map<int, NamedObject*>::iterator it;
+
+    for (it=named_objects.begin(); it!=named_objects.end(); ++it)
+    {
+        NamedObject *nobj = it->second;
+        if (nobj==NULL) continue;
+        output << nobj->getCommand(fw);
+    }
+    return output.join("\n").toUtf8().constData();
+}
 
 
 void CreateObjectGroups::init(FWObjectDatabase *db)
@@ -283,12 +297,17 @@ void printNamedObjectsCommon::printObjectsForRE(RuleElement *re)
     {
         FWObject *obj = FWReference::getObject(*it);
         if (Interface::isA(obj)) continue;
-        compiler->output << named_objects_manager->addNamedObject(obj);
+        //compiler->output << named_objects_manager->addNamedObject(obj);
+        named_objects_manager->addNamedObject(obj);
     }
 }
 
 /*
- * We do not need object-groups for policy rules.
+ * We support named objects only for ASA 8.3 and in policy rules, only for
+ * address ranges.
+ *
+ * See #1962, it looks like ASA 8.3 does not support named objects or
+ * object-groups in place of port specification in access-list commands.
  */
 bool printNamedObjectsForPolicy::processNext()
 {
@@ -302,12 +321,16 @@ bool printNamedObjectsForPolicy::processNext()
         PolicyRule *policy_rule = PolicyRule::cast( *k );
         if (policy_rule)
         {
-            // RuleElementSrc *src_re = policy_rule->getSrc();  assert(src_re);
-            // printObjectsForRE(src_re);
-            // RuleElementDst *dst_re = policy_rule->getDst();  assert(dst_re);
-            // printObjectsForRE(dst_re);
-            // RuleElementSrv *srv_re = policy_rule->getSrv();  assert(srv_re);
-            // if (haveCustomService(srv_re)) printObjectsForRE(srv_re);
+            RuleElementSrc *src_re = policy_rule->getSrc();  assert(src_re);
+            FWObject *srcobj = FWReference::getObject(src_re->front());
+            if (AddressRange::isA(srcobj)) printObjectsForRE(src_re);
+
+            RuleElementDst *dst_re = policy_rule->getDst();  assert(dst_re);
+            FWObject *dstobj = FWReference::getObject(dst_re->front());
+            if (AddressRange::isA(srcobj)) printObjectsForRE(dst_re);
+
+            //RuleElementSrv *srv_re = policy_rule->getSrv();  assert(srv_re);
+            //printObjectsForRE(srv_re);
         }
     }
 

src/cisco_lib/NamedObjectsAndGroupsSupport.h

@@ -51,6 +51,8 @@ public:
         virtual ~NamedObjectManager();
         std::string addNamedObject(const libfwbuilder::FWObject *obj);
         NamedObject* getNamedObject(const libfwbuilder::FWObject *obj);
+
+        std::string getNamedObjectsDefinitions();
     };
     
     class CreateObjectGroups : public BasicRuleProcessor

src/cisco_lib/PolicyCompiler_pix.cpp

@@ -511,7 +511,8 @@ void PolicyCompiler_pix::compile()
     add( new InterfacePolicyRules(
              "process interface policy rules and store interface ids"));
 
-    add( new addressRanges("process address ranges" ));
+    if (XMLTools::version_compare(vers, "8.3")<0)
+        add( new addressRanges("process address ranges" ));
 
     if ( fwopt->getBool("pix_assume_fw_part_of_any"))
     {
@@ -642,11 +643,11 @@ void PolicyCompiler_pix::compile()
 
     add( new printClearCommands("Clear ACLs and object groups"));
 
-    //if (XMLTools::version_compare(vers, "8.3")>=0)
-    //{
-    //    add( new printNamedObjectsForPolicy(
-    //             "definitions of named objects", named_objects_manager));
-    //}
+    if (XMLTools::version_compare(vers, "8.3")>=0)
+    {
+        add( new printNamedObjectsForPolicy(
+                 "definitions of named objects", named_objects_manager));
+    }
 
     add( new printObjectGroups(
              "generate code for object groups", named_objects_manager));

src/cisco_lib/PolicyCompiler_pix_writers.cpp

@@ -473,42 +473,26 @@ bool PolicyCompiler_pix::PrintRule::processNext()
      * be either group (in case processor CreateObjectGroups created
      * object group for it) or a regular object
      */
-    RuleElementSrc *src=rule->getSrc();
-    RuleElementDst *dst=rule->getDst();
-    RuleElementSrv *srv=rule->getSrv();
+    RuleElementSrc *src = rule->getSrc();
+    RuleElementDst *dst = rule->getDst();
+    RuleElementSrv *srv = rule->getSrv();
 
     assert(src->size()==1);
     assert(dst->size()==1);
     assert(srv->size()==1);
 
-    FWObject *srcobj=src->front();
-    FWObject *dstobj=dst->front();
-    FWObject *srvobj=srv->front();
+    FWObject *srcobj = FWReference::getObject(src->front());
+    FWObject *dstobj = FWReference::getObject(dst->front());
+    FWObject *srvobj = FWReference::getObject(srv->front());
 
     assert(srcobj);
     assert(dstobj);
     assert(srvobj);
 
-    if (FWReference::cast(srcobj)!=NULL)
-    {
-        srcobj=FWReference::cast(srcobj)->getPointer();
-        assert(srcobj);
-    }
-    if (FWReference::cast(dstobj)!=NULL)
-    {
-        dstobj=FWReference::cast(dstobj)->getPointer();
-        assert(dstobj);
-    }
-    if (FWReference::cast(srvobj)!=NULL)
-    {
-        srvobj=FWReference::cast(srvobj)->getPointer();
-        assert(srvobj);
-    }
-
     ostringstream  aclstr;
 
-    string acl_name=rule->getStr("acl");
-    assert (acl_name!="");
+    string acl_name = rule->getStr("acl");
+    assert(acl_name!="");
 
     ciscoACL *acl = pix_comp->acls[acl_name];
     assert(acl!=NULL);
@@ -549,32 +533,48 @@ bool PolicyCompiler_pix::PrintRule::processNext()
 
     aclstr << " ";
 
-    if ( pgsrc!=NULL && pgsrc->isObjectGroup())
+    NamedObject* asa8_object;
+
+    asa8_object = pix_comp->named_objects_manager->getNamedObject(srcobj);
+    if (asa8_object)
     {
-        aclstr << "object-group " << srcobj->getName();
-        aclstr << " ";
+        aclstr << "object " << asa8_object->getCommandWord().toStdString() << " ";
     } else
     {
-        aclstr << _printAddr( compiler->getFirstSrc(rule) );
+        if (pgsrc!=NULL)
+        {
+            aclstr << "object-group " << srcobj->getName() << " ";
+        } else
+        {
+            aclstr << _printAddr(Address::cast(srcobj));
+        }
     }
 
     if ( pgsrv==NULL ) 
         aclstr << _printSrcService( compiler->getFirstSrv(rule) );
 
-    if ( pgdst!=NULL && pgdst->isObjectGroup())
+    asa8_object = pix_comp->named_objects_manager->getNamedObject(dstobj);
+    if (asa8_object)
     {
-        aclstr << "object-group " << dstobj->getName();
-        aclstr << " ";
-    } else 
-        aclstr << _printAddr( compiler->getFirstDst(rule) );
-
-
-    if ( pgsrv!=NULL )
+        aclstr << "object "  << asa8_object->getCommandWord().toStdString() << " ";
+    } else
     {
-        aclstr << "object-group " << srvobj->getName();
-        aclstr << " ";
-    } else 
-        aclstr << _printDstService( compiler->getFirstSrv(rule) );
+        if (pgdst!=NULL)
+        {
+            aclstr << "object-group " << dstobj->getName() << " ";
+        } else
+        {
+            aclstr << _printAddr(Address::cast(dstobj));
+        }
+    }
+
+    if (pgsrv!=NULL)
+    {
+        aclstr << "object-group " << srvobj->getName() << " ";
+    } else
+    {
+        aclstr << _printDstService(Service::cast(srvobj));
+    }
 
     aclstr << _printLog( rule );
 

test/pix/cluster1-1_pix1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:28 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:56 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/cluster1-1_pix2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:28 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:56 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/cluster1_pix1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:27 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:55 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/cluster1_pix2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:27 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:55 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:13 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:42 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:13 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:41 2011 PST by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported

test/pix/firewall10.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:14 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:42 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall11.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:14 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:42 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall12.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:15 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:43 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall13.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:15 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:43 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall14.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:15 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:44 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:16 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:44 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall20.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:16 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:45 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall21-1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:17 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:45 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall21.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:16 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:45 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall22.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:17 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:46 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall3.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:18 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:46 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall33.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:18 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:47 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall34.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:19 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:47 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall4.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:19 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:48 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall50.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:20 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:48 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall6.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:20 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:48 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall8.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:21 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:49 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall80.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:21 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:49 2011 PST by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported

test/pix/firewall81.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:22 2011 PST by vadim
+!  Generated Wed Jan 19 20:21:33 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -89,20 +89,30 @@ parameters
   router-alert action clear
 
 
+object service http.0
+  service tcp destination eq 80
+quit
+
+object network hostA:eth0.0
+  host 192.168.1.10
+quit
+
+
 !################
 clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
+
 ! 
 ! Rule  0 (global)
 ! matching "any" icmp and "all" tcp 
 ! in one service-group
 ! 
-access-list inside_acl_in deny   icmp any host 192.168.1.10 
-access-list outside_acl_in deny   icmp any host 192.168.1.10 
-access-list inside_acl_in deny   tcp any host 192.168.1.10 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 
+access-list inside_acl_in deny   icmp any object hostA:eth0.0 
+access-list outside_acl_in deny   icmp any object hostA:eth0.0 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 
 ! 
 ! Rule  1 (FastEthernet1)
 ! test rule using translated address in dst
@@ -123,16 +133,16 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! Rule  4 (global)
 ! for #1942
 ! using custom service
-access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 neq 8080 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 neq 8080 
 ! 
 ! Rule  5 (global)
 ! for #1942
 ! using custom service
-access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
-access-list inside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 neq 8080 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 neq 8080 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 eq 3128 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 eq 3128 
 ! 
 ! Rule  6 (global)
 access-list inside_acl_in deny   ip any any 
@@ -146,12 +156,6 @@ clear xlate
 clear config nat
 clear config object
 
-object service http.0
-  service tcp destination eq 80
-quit
-object network hostA:eth0.0
-  host 192.168.1.10
-quit
 ! 
 ! Rule  0 (NAT)
 nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"

test/pix/firewall82.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:22 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:50 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -89,20 +89,30 @@ parameters
   router-alert action clear
 
 
+object service http.0
+  service tcp destination eq 80
+quit
+
+object network hostA:eth0.0
+  host 192.168.1.10
+quit
+
+
 !################
 clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
+
 ! 
 ! Rule  0 (global)
 ! matching "any" icmp and "all" tcp 
 ! in one service-group
 ! 
-access-list inside_acl_in deny   icmp any host 192.168.1.10 
-access-list outside_acl_in deny   icmp any host 192.168.1.10 
-access-list inside_acl_in deny   tcp any host 192.168.1.10 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 
+access-list inside_acl_in deny   icmp any object hostA:eth0.0 
+access-list outside_acl_in deny   icmp any object hostA:eth0.0 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 
 ! 
 ! Rule  1 (FastEthernet1)
 ! test rule using translated address in dst
@@ -132,12 +142,6 @@ clear xlate
 clear config nat
 clear config object
 
-object service http.0
-  service tcp destination eq 80
-quit
-object network hostA:eth0.0
-  host 192.168.1.10
-quit
 ! 
 ! Rule  0 (NAT)
 nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"

test/pix/firewall83.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:22 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:51 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -87,20 +87,30 @@ parameters
   router-alert action clear
 
 
+object service http.0
+  service tcp destination eq 80
+quit
+
+object network hostA:eth0.0
+  host 192.168.1.10
+quit
+
+
 !################
 clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
+
 ! 
 ! Rule  0 (global)
 ! matching "any" icmp and "all" tcp 
 ! in one service-group
 ! 
-access-list inside_acl_in deny   icmp any host 192.168.1.10 
-access-list outside_acl_in deny   icmp any host 192.168.1.10 
-access-list inside_acl_in deny   tcp any host 192.168.1.10 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 
+access-list inside_acl_in deny   icmp any object hostA:eth0.0 
+access-list outside_acl_in deny   icmp any object hostA:eth0.0 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 
 ! 
 ! Rule  1 (FastEthernet1)
 ! test rule using translated address in dst
@@ -127,12 +137,6 @@ clear xlate
 clear config nat
 clear config object
 
-object network hostA:eth0.0
-  host 192.168.1.10
-quit
-object service http.0
-  service tcp destination eq 80
-quit
 ! 
 ! Rule  0 (NAT)
 nat (inside,outside) source static hostA:eth0.0 interface service http.0 http.0 description "0 (NAT)"

test/pix/firewall9.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:23 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:51 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall90.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:23 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:51 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -90,12 +90,90 @@ parameters
   router-alert action clear
 
 
+object service http.0
+  service tcp destination eq 80
+quit
+
+object service smtp.0
+  service tcp destination eq 25
+quit
+
+object service smtps.0
+  service tcp destination eq 465
+quit
+
+object service squid.0
+  service tcp destination eq 3128
+quit
+
+object network spamhost1.0
+  host 61.150.47.112
+quit
+
+object network external_gw_1.0
+  host 22.22.22.254
+quit
+
+object network external_gw2.0
+  host 22.22.22.100
+quit
+
+object network spamhost2.0
+  host 61.150.47.113
+quit
+
+object network hostA:eth0.0
+  host 192.168.1.10
+quit
+
+object network Internal_net.0
+  subnet 192.168.1.0 255.255.255.0
+quit
+
+object network internal_subnet_1.0
+  subnet 192.168.1.0 255.255.255.192
+quit
+
+object network internal_subnet_2.0
+  subnet 192.168.1.64 255.255.255.192
+quit
+
+object network ext_subnet.0
+  subnet 22.22.22.128 255.255.255.224
+quit
+
+object network ext_subnet-192.0
+  subnet 22.22.22.128 255.255.255.192
+quit
+
+object network test_range_1.0
+  range 192.168.1.11 192.168.1.15
+quit
+
+object network outside_range.0
+  range 22.22.22.21 22.22.22.25
+quit
+
+object network outside_range-1.0
+  range 22.22.22.30 22.22.22.40
+quit
+
+object network firewall90:FastEthernet1:ip.0
+  host 22.22.22.22
+quit
+
+object network firewall90:FastEthernet1:ip-1.0
+  host 22.22.22.23
+quit
+
+
 !################
 clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
 
+
 object-group network outside.id78630X30274.src.net.0
   network-object 10.1.2.0 255.255.255.0 
   network-object 10.1.3.0 255.255.255.0 
@@ -107,16 +185,16 @@ access-list outside_acl_in deny   ip object-group outside.id78630X30274.src.net.
 ! Rule  1 (global)
 ! for #1942
 ! using custom service
-access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 tcp destination neq 8080 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 tcp destination neq 8080 
 ! 
 ! Rule  2 (global)
 ! for #1942
 ! using custom service
-access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
-access-list inside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 tcp destination neq 8080 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 tcp destination neq 8080 
+access-list inside_acl_in deny   tcp any object hostA:eth0.0 eq 3128 
+access-list outside_acl_in deny   tcp any object hostA:eth0.0 eq 3128 
 ! 
 ! Rule  3 (global)
 access-list inside_acl_in deny   ip any any 
@@ -130,63 +208,6 @@ clear xlate
 clear config nat
 clear config object
 
-object network Internal_net.0
-  subnet 192.168.1.0 255.255.255.0
-quit
-object service http.0
-  service tcp destination eq 80
-quit
-object network hostA:eth0.0
-  host 192.168.1.10
-quit
-object network spamhost1.0
-  host 61.150.47.112
-quit
-object service smtp.0
-  service tcp destination eq 25
-quit
-object network firewall90:FastEthernet1:ip-1.0
-  host 22.22.22.23
-quit
-object network internal_subnet_1.0
-  subnet 192.168.1.0 255.255.255.192
-quit
-object network internal_subnet_2.0
-  subnet 192.168.1.64 255.255.255.192
-quit
-object network test_range_1.0
-  range 192.168.1.11 192.168.1.15
-quit
-object network external_gw_1.0
-  host 22.22.22.254
-quit
-object network outside_range.0
-  range 22.22.22.21 22.22.22.25
-quit
-object network firewall90:FastEthernet1:ip.0
-  host 22.22.22.22
-quit
-object network external_gw2.0
-  host 22.22.22.100
-quit
-object network ext_subnet.0
-  subnet 22.22.22.128 255.255.255.224
-quit
-object network outside_range-1.0
-  range 22.22.22.30 22.22.22.40
-quit
-object service squid.0
-  service tcp destination eq 3128
-quit
-object network spamhost2.0
-  host 61.150.47.113
-quit
-object service smtps.0
-  service tcp destination eq 465
-quit
-object network ext_subnet-192.0
-  subnet 22.22.22.128 255.255.255.192
-quit
 
 object-group network outside.id178211X29963.osrc.net.0
   network-object object internal_subnet_1.0

test/pix/firewall91.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:23 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:52 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -92,11 +92,45 @@ parameters
   router-alert action clear
 
 
+object service http.0
+  service tcp destination eq 80
+quit
+
+object service https.0
+  service tcp destination eq 443
+quit
+
+object service squid.0
+  service tcp destination eq 3128
+quit
+
+object network external_gw2.0
+  host 22.22.22.100
+quit
+
+object network hostA:eth0.0
+  host 192.168.1.10
+quit
+
+object network internal_subnet_1.0
+  subnet 192.168.1.0 255.255.255.192
+quit
+
+object network test_range_1.0
+  range 192.168.1.11 192.168.1.15
+quit
+
+object network outside_range.0
+  range 22.22.22.21 22.22.22.25
+quit
+
+
 !################
 clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
+
 ! 
 ! Rule  0 (global)
 access-list inside_acl_in deny   ip any any 
@@ -110,30 +144,6 @@ clear xlate
 clear config nat
 clear config object
 
-object network hostA:eth0.0
-  host 192.168.1.10
-quit
-object network external_gw2.0
-  host 22.22.22.100
-quit
-object service http.0
-  service tcp destination eq 80
-quit
-object service squid.0
-  service tcp destination eq 3128
-quit
-object service https.0
-  service tcp destination eq 443
-quit
-object network outside_range.0
-  range 22.22.22.21 22.22.22.25
-quit
-object network internal_subnet_1.0
-  subnet 192.168.1.0 255.255.255.192
-quit
-object network test_range_1.0
-  range 192.168.1.11 192.168.1.15
-quit
 ! 
 ! Rule  0 (NAT)
 nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "0 (NAT)"

test/pix/firewall92.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:24 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:52 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -87,11 +87,45 @@ parameters
   router-alert action clear
 
 
+object service http.0
+  service tcp destination eq 80
+quit
+
+object service smtp.0
+  service tcp destination eq 25
+quit
+
+object network spamhost1.0
+  host 61.150.47.112
+quit
+
+object network hostA:eth0.0
+  host 192.168.1.10
+quit
+
+object network Internal_net.0
+  subnet 192.168.1.0 255.255.255.0
+quit
+
+object network internal_subnet_1.0
+  subnet 192.168.1.0 255.255.255.192
+quit
+
+object network internal_subnet_2.0
+  subnet 192.168.1.64 255.255.255.192
+quit
+
+object network test_range_1.0
+  range 192.168.1.11 192.168.1.15
+quit
+
+
 !################
 clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
+
 ! 
 ! Rule  0 (global)
 access-list inside_acl_in deny   ip any any 
@@ -105,30 +139,6 @@ clear xlate
 clear config nat
 clear config object
 
-object network Internal_net.0
-  subnet 192.168.1.0 255.255.255.0
-quit
-object service http.0
-  service tcp destination eq 80
-quit
-object network hostA:eth0.0
-  host 192.168.1.10
-quit
-object service smtp.0
-  service tcp destination eq 25
-quit
-object network spamhost1.0
-  host 61.150.47.112
-quit
-object network internal_subnet_1.0
-  subnet 192.168.1.0 255.255.255.192
-quit
-object network internal_subnet_2.0
-  subnet 192.168.1.64 255.255.255.192
-quit
-object network test_range_1.0
-  range 192.168.1.11 192.168.1.15
-quit
 
 object-group network outside.id20655X6113.osrc.net.0
   network-object object internal_subnet_1.0

test/pix/firewall93.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:24 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:52 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -88,18 +88,22 @@ policy-map global_policy
 service-policy global_policy global
 
 
+
+object network dmz-range-1.0
+  range 172.16.0.10 172.16.0.15
+quit
+
+object network inside-range-1.0
+  range 10.0.0.1 10.0.0.5
+quit
+
+
 !################
 
 clear xlate
 clear config nat
 clear config object
 
-object network inside-range-1.0
-  range 10.0.0.1 10.0.0.5
-quit
-object network dmz-range-1.0
-  range 172.16.0.10 172.16.0.15
-quit
 ! 
 ! Rule  0 (NAT)
 nat (inside,outside) source dynamic inside-range-1.0 interface description "0 (NAT)"

test/pix/fwsm1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:25 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:53 2011 PST by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported

test/pix/fwsm2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:25 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:53 2011 PST by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported

test/pix/objects-for-regression-tests.fwb

@@ -17486,7 +17486,7 @@ no sysopt nodnsalias outbound
           <Option name="xlate_ss">0</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False">
+      <Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295497261" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False">
         <NAT id="id86771X27607" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id138353X27607" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -17601,7 +17601,7 @@ no sysopt nodnsalias outbound
               <ObjectRef ref="host-hostA"/>
             </Dst>
             <Srv neg="False">
-              <ServiceRef ref="id21571X21575"/>
+              <ServiceRef ref="id80355X18586"/>
             </Srv>
             <Itf neg="False">
               <ObjectRef ref="sysid0"/>
@@ -17622,8 +17622,8 @@ no sysopt nodnsalias outbound
               <ObjectRef ref="host-hostA"/>
             </Dst>
             <Srv neg="False">
-              <ServiceRef ref="id21571X21575"/>
               <ServiceRef ref="id3B5009F7"/>
+              <ServiceRef ref="id80355X18586"/>
             </Srv>
             <Itf neg="False">
               <ObjectRef ref="sysid0"/>

test/pix/pix515.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:26 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:54 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/real.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Wed Jan 19 18:23:26 2011 PST by vadim
+!  Generated Wed Jan 19 20:15:54 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported