see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface".

2026-03-19 17:57:22 +01:00 · 2011-01-19 18:26:08 -08:00 · 2011-01-19 18:26:08 -08:00 · ca4c132e2b
commit ca4c132e2b
parent b16968de98
39 changed files with 982 additions and 1066 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,13 @@
+2011-01-19  vadim  <vadim@netcitadel.com>
+
+	* NATCompiler_asa8.cpp (processNext): see #1954 "ASA NAT -
+	generate warning if nat rule is split and one of the resulting nat
+	rules have the same real interface and mapped interface". Compiler
+	issues warning when objects used in OSrc and TSrc of a NAT rule
+	make it use the same interface as both real and mapped interface
+	in the generated nat command. This check is only done for ASA 8.3
+	NAT rules.
+
 2011-01-19  Vadim Kurland  <vadim@netcitadel.com>

 	* NamedObject.cpp (sanitizeObjectName): see #1953 "ASA NAT - two
--- a/src/cisco_lib/NATCompiler_asa8.cpp
+++ b/src/cisco_lib/NATCompiler_asa8.cpp
@ -266,6 +266,29 @@ bool NATCompiler_asa8::VerifyRules::processNext()
    return true;
 }

+bool NATCompiler_asa8::verifyInterfacesInNatRule::processNext()
+{
+    NATRule *rule = getNext(); if (rule==NULL) return false;
+
+    Interface *o_iface = Interface::cast(compiler->dbcopy->findInIndex(
+                                             rule->getInt("nat_iface_orig")));
+    Interface *t_iface = Interface::cast(compiler->dbcopy->findInIndex(
+                                             rule->getInt("nat_iface_trn")));
+
+    if (o_iface->getId() == t_iface->getId())
+    {
+        QString err("Objects used in Original Source and Translated Source "
+                    "of the rule dictate that the same interface '%1' is going "
+                    "to be used as real and mapped interface in the generated "
+                    "nat command.");
+        compiler->warning(rule, err.arg(o_iface->getLabel().c_str()).toStdString());
+    }
+
+    tmp_queue.push_back(rule);
+    return true;
+}
+
+

 void NATCompiler_asa8::compile()
 {
@ -347,7 +370,7 @@ void NATCompiler_asa8::compile()
    add( new ConvertToAtomicForTSrv("convert to atomic for TSrv"));

    add( new AssignInterface("assign rules to interfaces" ));
-    add( new verifyInterfaces("verify interfaces assignment" ));
+    add( new verifyInterfacesInNatRule("verify assignment of interfaces"));
    add( new fillTranslatedSrv("fill translated service element" ));
    add( new verifyRuleElements(
             "verify rule elements for static NAT rules"));
--- a/src/cisco_lib/NATCompiler_asa8.h
+++ b/src/cisco_lib/NATCompiler_asa8.h
@ -64,6 +64,13 @@ namespace fwcompiler {
         */
        DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfDNSOption);

+        /**
+         * for #1954 Issue a warning when nat rule with the same interface
+         * is used for the real and mapped interface, as in
+         * nat (outside,outside)
+         */
+	DECLARE_NAT_RULE_PROCESSOR(verifyInterfacesInNatRule);
+        
        /**
         * Split rule to make sure objects in OSrc match network zones
         * of interfaces. We only need to do this for ASA 8.3 where we
--- a/test/pix/cluster1-1_pix1.fw.orig
+++ b/test/pix/cluster1-1_pix1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:19 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:28 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -121,30 +121,26 @@ clear config icmp
 clear config telnet

 object-group network outside.id56590X61097.src.net.0
- network-object  host 10.3.14.206 
- network-object  host 10.3.14.207 
- exit
-
+  network-object host 10.3.14.206 
+  network-object host 10.3.14.207 
+exit

 object-group network outside.id56590X61097.src.net.1
- network-object  host 172.17.1.253 
- network-object  host 172.17.1.254 
- network-object  host 192.0.2.253 
- network-object  host 192.0.2.254 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 172.17.1.254 
+  network-object host 192.0.2.253 
+  network-object host 192.0.2.254 
+exit

 object-group network outside.id56590X61097.src.net.2
- network-object  host 10.0.0.253 
- network-object  host 10.0.0.254 
- exit
-
+  network-object host 10.0.0.253 
+  network-object host 10.0.0.254 
+exit

 object-group network inside.id56627X61097.src.net.0
- network-object  host 172.17.1.253 
- network-object  host 192.0.2.253 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 192.0.2.253 
+exit
 ! 
 ! Rule  0 (Ethernet0.101)
 ! anti spoofing rule
--- a/test/pix/cluster1-1_pix2.fw.orig
+++ b/test/pix/cluster1-1_pix2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:19 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:28 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -121,30 +121,26 @@ clear config icmp
 clear config telnet

 object-group network outside.id56590X61097.src.net.0
- network-object  host 10.3.14.206 
- network-object  host 10.3.14.207 
- exit
-
+  network-object host 10.3.14.206 
+  network-object host 10.3.14.207 
+exit

 object-group network outside.id56590X61097.src.net.1
- network-object  host 172.17.1.253 
- network-object  host 172.17.1.254 
- network-object  host 192.0.2.253 
- network-object  host 192.0.2.254 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 172.17.1.254 
+  network-object host 192.0.2.253 
+  network-object host 192.0.2.254 
+exit

 object-group network outside.id56590X61097.src.net.2
- network-object  host 10.0.0.253 
- network-object  host 10.0.0.254 
- exit
-
+  network-object host 10.0.0.253 
+  network-object host 10.0.0.254 
+exit

 object-group network inside.id56627X61097.src.net.0
- network-object  host 172.17.1.253 
- network-object  host 192.0.2.253 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 192.0.2.253 
+exit
 ! 
 ! Rule  0 (Ethernet0.101)
 ! anti spoofing rule
--- a/test/pix/cluster1_pix1.fw.orig
+++ b/test/pix/cluster1_pix1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:19 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:27 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -121,30 +121,26 @@ clear config icmp
 clear config telnet

 object-group network outside.id2913X78273.src.net.0
- network-object  host 10.3.14.206 
- network-object  host 10.3.14.207 
- exit
-
+  network-object host 10.3.14.206 
+  network-object host 10.3.14.207 
+exit

 object-group network outside.id2913X78273.src.net.1
- network-object  host 172.17.1.253 
- network-object  host 172.17.1.254 
- network-object  host 192.0.2.253 
- network-object  host 192.0.2.254 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 172.17.1.254 
+  network-object host 192.0.2.253 
+  network-object host 192.0.2.254 
+exit

 object-group network outside.id2913X78273.src.net.2
- network-object  host 10.0.0.253 
- network-object  host 10.0.0.254 
- exit
-
+  network-object host 10.0.0.253 
+  network-object host 10.0.0.254 
+exit

 object-group network inside.id55439X897.src.net.0
- network-object  host 172.17.1.253 
- network-object  host 192.0.2.253 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 192.0.2.253 
+exit
 ! 
 ! Rule  0 (Ethernet0.101)
 ! anti spoofing rule
--- a/test/pix/cluster1_pix2.fw.orig
+++ b/test/pix/cluster1_pix2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:19 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:27 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -121,36 +121,31 @@ clear config icmp
 clear config telnet

 object-group network outside.id2913X78273.src.net.0
- network-object  host 10.3.14.206 
- network-object  host 10.3.14.207 
- exit
-
+  network-object host 10.3.14.206 
+  network-object host 10.3.14.207 
+exit

 object-group network outside.id2913X78273.src.net.1
- network-object  host 172.17.1.253 
- network-object  host 172.17.1.254 
- network-object  host 192.0.2.253 
- network-object  host 192.0.2.254 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 172.17.1.254 
+  network-object host 192.0.2.253 
+  network-object host 192.0.2.254 
+exit

 object-group network outside.id2913X78273.src.net.2
- network-object  host 10.0.0.253 
- network-object  host 10.0.0.254 
- exit
-
+  network-object host 10.0.0.253 
+  network-object host 10.0.0.254 
+exit

 object-group network inside.id55439X897.src.net.0
- network-object  host 172.17.1.253 
- network-object  host 192.0.2.253 
- exit
-
+  network-object host 172.17.1.253 
+  network-object host 192.0.2.253 
+exit

 object-group network outside.id3401X82678.dst.net.0
- network-object  host 172.17.1.254 
- network-object  host 192.0.2.254 
- exit
-
+  network-object host 172.17.1.254 
+  network-object host 192.0.2.254 
+exit
 ! 
 ! Rule  0 (Ethernet0.101)
 ! anti spoofing rule
--- a/test/pix/firewall.fw.orig
+++ b/test/pix/firewall.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:53 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:13 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -280,128 +280,116 @@ clear icmp
 clear telnet

 object-group network inside.id3C4E4C38.dst.net.0
- network-object  host 211.11.11.11 
- network-object  host 211.22.22.22 
- exit
-
+  network-object host 211.11.11.11 
+  network-object host 211.22.22.22 
+exit

 object-group service inside.id3C4E4C38.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+exit

 object-group icmp-type outside.id3D8FCE32.srv.icmp.0
- icmp-object 11
- icmp-object 0
- icmp-object 3
- exit
-
+  icmp-object 11
+  icmp-object 0
+  icmp-object 3
+exit

 object-group service outside.pol-firewall2-2.srv.tcp.0 tcp
- port-object eq 3128
- port-object eq 70
- port-object eq 6667
- port-object eq 23
- exit
-
+  port-object eq 3128
+  port-object eq 70
+  port-object eq 6667
+  port-object eq 23
+exit

 object-group service outside.pol-firewall2-2.srv.udp.0 udp
- port-object eq 161
- port-object eq 53
- exit
-
+  port-object eq 161
+  port-object eq 53
+exit

 object-group network outside.pol-firewall2-3.dst.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit

 object-group network inside.id3E155E82.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id3D0F8031.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id3CD87B1E.dst.net.0
- network-object  host 192.168.1.11 
- network-object  host 192.168.1.12 
- network-object  host 192.168.1.13 
- network-object  host 192.168.1.14 
- network-object  host 192.168.1.15 
- exit
-
+  network-object host 192.168.1.11 
+  network-object host 192.168.1.12 
+  network-object host 192.168.1.13 
+  network-object host 192.168.1.14 
+  network-object host 192.168.1.15 
+exit

 object-group service outside.id3CD87B1E.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- port-object eq 3128
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+  port-object eq 3128
+exit

 object-group network outside.id3CD8770E.dst.net.0
- network-object 192.168.1.11 255.255.255.255 
- network-object 192.168.1.12 255.255.255.252 
- exit
-
+  network-object 192.168.1.11 255.255.255.255 
+  network-object 192.168.1.12 255.255.255.252 
+exit

 object-group service outside.pol-firewall2-4.srv.tcp.0 tcp
- port-object eq 3128
- port-object range 10000 11000
- port-object eq 6667
- port-object eq 113
- port-object eq 53
- port-object eq 21
- port-object eq 80
- port-object eq 119
- port-object eq 25
- port-object eq 22
- port-object eq 23
- port-object eq 540
- port-object eq 70
- port-object eq 13
- port-object eq 2105
- port-object eq 443
- port-object eq 143
- port-object eq 993
- port-object eq 6667
- port-object eq 543
- port-object eq 544
- port-object eq 389
- port-object eq 98
- port-object eq 3306
- port-object eq 2049
- port-object eq 110
- port-object eq 5432
- port-object eq 515
- port-object eq 26000
- port-object eq 512
- port-object eq 513
- port-object eq 514
- port-object eq 4321
- port-object eq 465
- port-object eq 1080
- port-object eq 111
- port-object eq 7100
- exit
-
+  port-object eq 3128
+  port-object range 10000 11000
+  port-object eq 6667
+  port-object eq 113
+  port-object eq 53
+  port-object eq 21
+  port-object eq 80
+  port-object eq 119
+  port-object eq 25
+  port-object eq 22
+  port-object eq 23
+  port-object eq 540
+  port-object eq 70
+  port-object eq 13
+  port-object eq 2105
+  port-object eq 443
+  port-object eq 143
+  port-object eq 993
+  port-object eq 6667
+  port-object eq 543
+  port-object eq 544
+  port-object eq 389
+  port-object eq 98
+  port-object eq 3306
+  port-object eq 2049
+  port-object eq 110
+  port-object eq 5432
+  port-object eq 515
+  port-object eq 26000
+  port-object eq 512
+  port-object eq 513
+  port-object eq 514
+  port-object eq 4321
+  port-object eq 465
+  port-object eq 1080
+  port-object eq 111
+  port-object eq 7100
+exit
 ! 
 ! Rule  -1 backup ssh access rule (automatic)
 ssh    192.168.1.100 255.255.255.255 inside
--- a/test/pix/firewall1.fw.orig
+++ b/test/pix/firewall1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:54 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:13 2011 PST by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
@ -69,10 +69,9 @@ floodguard disable
 !################

 object-group icmp-type outside.id3D50B022.srv.icmp.0
- icmp-object 8
- icmp-object 11
- exit
-
+  icmp-object 8
+  icmp-object 11
+exit
 ! 
 ! Rule  2 (eth1)
 ! Anti-spoofing rule
--- a/test/pix/firewall10.fw.orig
+++ b/test/pix/firewall10.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:55 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:14 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -95,146 +95,132 @@ fixup protocol sqlnet 1521
 !################

 object-group network inside.id3DB0FA90.dst.net.0
- network-object  host 211.11.11.11 
- network-object  host 211.22.22.22 
- exit
-
+  network-object host 211.11.11.11 
+  network-object host 211.22.22.22 
+exit

 object-group service inside.id3DB0FA90.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+exit

 object-group icmp-type outside.id3DB0F9C7.srv.icmp.0
- icmp-object 11
- icmp-object 0
- icmp-object 3
- exit
-
+  icmp-object 11
+  icmp-object 0
+  icmp-object 3
+exit

 object-group service outside.id3DB0F9BD.srv.tcp.0 tcp
- port-object eq 3128
- port-object eq 70
- port-object eq 6667
- port-object eq 23
- exit
-
+  port-object eq 3128
+  port-object eq 70
+  port-object eq 6667
+  port-object eq 23
+exit

 object-group service outside.id3DB0F9BD.srv.udp.0 udp
- port-object eq 161
- port-object eq 53
- exit
-
+  port-object eq 161
+  port-object eq 53
+exit

 object-group network outside.id3DB0F9E6.dst.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit

 object-group network inside.id3DB10695.src.net.0
- network-object 192.168.1.0 255.255.255.0 
- network-object 192.168.10.0 255.255.255.0 
- network-object 192.168.20.0 255.255.255.0 
- exit
-
+  network-object 192.168.1.0 255.255.255.0 
+  network-object 192.168.10.0 255.255.255.0 
+  network-object 192.168.20.0 255.255.255.0 
+exit

 object-group network dmz.id3DB10695.src.net.0
- network-object 192.168.2.0 255.255.255.0 
- network-object 192.168.3.0 255.255.255.0 
- exit
-
+  network-object 192.168.2.0 255.255.255.0 
+  network-object 192.168.3.0 255.255.255.0 
+exit

 object-group network outside.id3DB10695.dst.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.11 
- network-object  host 192.168.1.12 
- network-object  host 192.168.1.13 
- network-object  host 192.168.1.14 
- network-object  host 192.168.1.15 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.11 
+  network-object host 192.168.1.12 
+  network-object host 192.168.1.13 
+  network-object host 192.168.1.14 
+  network-object host 192.168.1.15 
+  network-object host 192.168.1.20 
+exit

 object-group network outside.id3DB0F9F2.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id3DB0F9FC.dst.net.0
- network-object  host 192.168.1.11 
- network-object  host 192.168.1.12 
- network-object  host 192.168.1.13 
- network-object  host 192.168.1.14 
- network-object  host 192.168.1.15 
- exit
-
+  network-object host 192.168.1.11 
+  network-object host 192.168.1.12 
+  network-object host 192.168.1.13 
+  network-object host 192.168.1.14 
+  network-object host 192.168.1.15 
+exit

 object-group service outside.id3DB0F9FC.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- port-object eq 3128
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+  port-object eq 3128
+exit

 object-group network outside.id3DB0FA07.dst.net.0
- network-object 192.168.1.11 255.255.255.255 
- network-object 192.168.1.12 255.255.255.252 
- exit
-
+  network-object 192.168.1.11 255.255.255.255 
+  network-object 192.168.1.12 255.255.255.252 
+exit

 object-group service outside.id3DB0FA12.srv.tcp.0 tcp
- port-object eq 3128
- port-object range 10000 11000
- port-object eq 6667
- port-object eq 113
- port-object eq 53
- port-object eq 21
- port-object eq 80
- port-object eq 119
- port-object eq 25
- port-object eq 22
- port-object eq 23
- port-object eq 540
- port-object eq 70
- port-object eq 13
- port-object eq 2105
- port-object eq 443
- port-object eq 143
- port-object eq 993
- port-object eq 6667
- port-object eq 543
- port-object eq 544
- port-object eq 389
- port-object eq 98
- port-object eq 3306
- port-object eq 2049
- port-object eq 110
- port-object eq 5432
- port-object eq 515
- port-object eq 26000
- port-object eq 512
- port-object eq 513
- port-object eq 514
- port-object eq 4321
- port-object eq 465
- port-object eq 1080
- port-object eq 111
- port-object eq 7100
- exit
-
+  port-object eq 3128
+  port-object range 10000 11000
+  port-object eq 6667
+  port-object eq 113
+  port-object eq 53
+  port-object eq 21
+  port-object eq 80
+  port-object eq 119
+  port-object eq 25
+  port-object eq 22
+  port-object eq 23
+  port-object eq 540
+  port-object eq 70
+  port-object eq 13
+  port-object eq 2105
+  port-object eq 443
+  port-object eq 143
+  port-object eq 993
+  port-object eq 6667
+  port-object eq 543
+  port-object eq 544
+  port-object eq 389
+  port-object eq 98
+  port-object eq 3306
+  port-object eq 2049
+  port-object eq 110
+  port-object eq 5432
+  port-object eq 515
+  port-object eq 26000
+  port-object eq 512
+  port-object eq 513
+  port-object eq 514
+  port-object eq 4321
+  port-object eq 465
+  port-object eq 1080
+  port-object eq 111
+  port-object eq 7100
+exit
 ! 
 ! Rule  3 (ethernet1)
 ! anti-spoofing rule
--- a/test/pix/firewall11.fw.orig
+++ b/test/pix/firewall11.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:56 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:14 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall12.fw.orig
+++ b/test/pix/firewall12.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:56 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:15 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -91,11 +91,10 @@ fixup protocol icmp error
 !################

 object-group network outside.id3F8F95CD.dst.net.0
- network-object  host 192.0.2.20 
- network-object  host 192.0.2.21 
- network-object  host 192.0.2.23 
- exit
-
+  network-object host 192.0.2.20 
+  network-object host 192.0.2.21 
+  network-object host 192.0.2.23 
+exit
 ! 
 ! Rule  0 (global)
 access-list inside_acl_in  remark 0 (global)
--- a/test/pix/firewall13.fw.orig
+++ b/test/pix/firewall13.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:57 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:15 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall14.fw.orig
+++ b/test/pix/firewall14.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:58 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:15 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall2.fw.orig
+++ b/test/pix/firewall2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:58 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:16 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -69,16 +69,14 @@ clear icmp
 clear telnet

 object-group service inside.id3D6EF08C.srv.tcp.0 tcp
- port-object eq 80
- port-object eq 119
- exit
-
+  port-object eq 80
+  port-object eq 119
+exit

 object-group network inside.id3D8FCCDE.src.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit
 ! 
 ! Rule  0 (eth1)
 ! Anti-spoofing rule
--- a/test/pix/firewall20.fw.orig
+++ b/test/pix/firewall20.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:53:59 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:16 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21-1.fw.orig
+++ b/test/pix/firewall21-1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:00 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:17 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21.fw.orig
+++ b/test/pix/firewall21.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:00 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:16 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall22.fw.orig
+++ b/test/pix/firewall22.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:01 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:17 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall3.fw.orig
+++ b/test/pix/firewall3.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:02 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:18 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall33.fw.orig
+++ b/test/pix/firewall33.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:03 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:18 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -68,29 +68,27 @@ floodguard disable
 !################

 object-group network outside.id43867C2418346.src.net.0
- network-object  host 157.166.224.25 
- network-object  host 157.166.224.26 
- network-object  host 157.166.226.25 
- network-object  host 157.166.226.26 
- network-object  host 157.166.255.18 
- network-object  host 157.166.255.19 
- exit
-
+  network-object host 157.166.224.25 
+  network-object host 157.166.224.26 
+  network-object host 157.166.226.25 
+  network-object host 157.166.226.26 
+  network-object host 157.166.255.18 
+  network-object host 157.166.255.19 
+exit

 object-group network outside.id438728A918346.dst.net.0
- network-object  host 74.125.224.48 
- network-object  host 74.125.224.49 
- network-object  host 74.125.224.50 
- network-object  host 74.125.224.51 
- network-object  host 74.125.224.52 
- network-object  host 157.166.224.25 
- network-object  host 157.166.224.26 
- network-object  host 157.166.226.25 
- network-object  host 157.166.226.26 
- network-object  host 157.166.255.18 
- network-object  host 157.166.255.19 
- exit
-
+  network-object host 74.125.224.16 
+  network-object host 74.125.224.17 
+  network-object host 74.125.224.18 
+  network-object host 74.125.224.19 
+  network-object host 74.125.224.20 
+  network-object host 157.166.224.25 
+  network-object host 157.166.224.26 
+  network-object host 157.166.226.25 
+  network-object host 157.166.226.26 
+  network-object host 157.166.255.18 
+  network-object host 157.166.255.19 
+exit
 ! 
 ! Rule  0 (eth0.100)
 access-list outside_acl_in deny   ip 192.168.1.0 255.255.255.0 any 
--- a/test/pix/firewall34.fw.orig
+++ b/test/pix/firewall34.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:04 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:19 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -63,133 +63,129 @@ floodguard disable
 !################

 object-group network outside.id16988X10208.dst.net.0
- network-object 192.168.1.1 255.255.255.255 
- network-object 192.168.1.2 255.255.255.255 
- network-object 192.168.1.3 255.255.255.252 
- network-object 192.168.1.200 255.255.255.255 
- network-object 192.168.1.201 255.255.255.255 
- exit
-
+  network-object 192.168.1.1 255.255.255.255 
+  network-object 192.168.1.2 255.255.255.255 
+  network-object 192.168.1.3 255.255.255.252 
+  network-object 192.168.1.200 255.255.255.255 
+  network-object 192.168.1.201 255.255.255.255 
+exit

 object-group network outside.id4390C25825682.dst.net.0
- network-object 58.33.181.83 255.255.255.255 
- network-object 58.53.82.190 255.255.255.255 
- network-object 58.231.13.78 255.255.255.255 
- network-object  host 61.150.47.112 
- network-object 61.184.14.102 255.255.255.255 
- network-object 64.106.85.186 255.255.255.255 
- network-object 70.228.60.100 255.255.255.255 
- network-object 80.51.236.6 255.255.255.255 
- network-object 80.243.72.149 255.255.255.255 
- network-object 80.249.77.34 255.255.255.255 
- network-object 81.2.36.254 255.255.255.255 
- network-object 81.196.74.125 255.255.255.255 
- network-object 82.77.37.174 255.255.255.255 
- network-object 82.117.221.205 255.255.255.255 
- network-object 82.143.196.17 255.255.255.255 
- network-object 84.90.8.198 255.255.255.255 
- network-object 151.8.224.178 255.255.255.255 
- network-object 168.156.76.20 255.255.255.255 
- network-object 193.207.126.36 255.255.255.255 
- network-object 195.136.186.35 255.255.255.255 
- network-object 196.15.136.15 255.255.255.255 
- network-object 201.10.180.138 255.255.255.255 
- network-object 201.17.93.16 255.255.255.255 
- network-object 201.36.156.121 255.255.255.255 
- network-object 202.96.112.93 255.255.255.255 
- network-object 202.103.25.253 255.255.255.255 
- network-object 203.162.3.209 255.255.255.255 
- network-object 203.209.124.144 255.255.255.255 
- network-object 210.106.193.237 255.255.255.255 
- network-object 210.222.114.102 255.255.255.255 
- network-object 211.144.143.143 255.255.255.255 
- network-object 211.172.218.237 255.255.255.255 
- network-object 211.250.16.132 255.255.255.255 
- network-object 212.21.241.31 255.255.255.255 
- network-object 212.100.212.100 255.255.255.255 
- network-object 218.18.72.252 255.255.255.255 
- network-object 218.39.114.122 255.255.255.255 
- network-object 218.55.115.43 255.255.255.255 
- network-object 218.104.138.146 255.255.255.255 
- network-object 219.132.104.160 255.255.255.255 
- network-object 220.71.17.86 255.255.255.255 
- network-object 220.81.50.105 255.255.255.255 
- network-object 220.91.99.46 255.255.255.255 
- network-object 221.14.249.242 255.255.255.255 
- network-object 221.166.177.135 255.255.255.255 
- network-object 221.198.33.38 255.255.255.255 
- network-object 221.202.160.233 255.255.255.255 
- network-object 221.205.54.125 255.255.255.255 
- network-object 221.217.44.248 255.255.255.255 
- network-object 222.100.212.223 255.255.255.255 
- network-object 222.121.118.144 255.255.255.255 
- network-object 222.174.113.2 255.255.255.255 
- exit
-
+  network-object 58.33.181.83 255.255.255.255 
+  network-object 58.53.82.190 255.255.255.255 
+  network-object 58.231.13.78 255.255.255.255 
+  network-object host 61.150.47.112 
+  network-object 61.184.14.102 255.255.255.255 
+  network-object 64.106.85.186 255.255.255.255 
+  network-object 70.228.60.100 255.255.255.255 
+  network-object 80.51.236.6 255.255.255.255 
+  network-object 80.243.72.149 255.255.255.255 
+  network-object 80.249.77.34 255.255.255.255 
+  network-object 81.2.36.254 255.255.255.255 
+  network-object 81.196.74.125 255.255.255.255 
+  network-object 82.77.37.174 255.255.255.255 
+  network-object 82.117.221.205 255.255.255.255 
+  network-object 82.143.196.17 255.255.255.255 
+  network-object 84.90.8.198 255.255.255.255 
+  network-object 151.8.224.178 255.255.255.255 
+  network-object 168.156.76.20 255.255.255.255 
+  network-object 193.207.126.36 255.255.255.255 
+  network-object 195.136.186.35 255.255.255.255 
+  network-object 196.15.136.15 255.255.255.255 
+  network-object 201.10.180.138 255.255.255.255 
+  network-object 201.17.93.16 255.255.255.255 
+  network-object 201.36.156.121 255.255.255.255 
+  network-object 202.96.112.93 255.255.255.255 
+  network-object 202.103.25.253 255.255.255.255 
+  network-object 203.162.3.209 255.255.255.255 
+  network-object 203.209.124.144 255.255.255.255 
+  network-object 210.106.193.237 255.255.255.255 
+  network-object 210.222.114.102 255.255.255.255 
+  network-object 211.144.143.143 255.255.255.255 
+  network-object 211.172.218.237 255.255.255.255 
+  network-object 211.250.16.132 255.255.255.255 
+  network-object 212.21.241.31 255.255.255.255 
+  network-object 212.100.212.100 255.255.255.255 
+  network-object 218.18.72.252 255.255.255.255 
+  network-object 218.39.114.122 255.255.255.255 
+  network-object 218.55.115.43 255.255.255.255 
+  network-object 218.104.138.146 255.255.255.255 
+  network-object 219.132.104.160 255.255.255.255 
+  network-object 220.71.17.86 255.255.255.255 
+  network-object 220.81.50.105 255.255.255.255 
+  network-object 220.91.99.46 255.255.255.255 
+  network-object 221.14.249.242 255.255.255.255 
+  network-object 221.166.177.135 255.255.255.255 
+  network-object 221.198.33.38 255.255.255.255 
+  network-object 221.202.160.233 255.255.255.255 
+  network-object 221.205.54.125 255.255.255.255 
+  network-object 221.217.44.248 255.255.255.255 
+  network-object 222.100.212.223 255.255.255.255 
+  network-object 222.121.118.144 255.255.255.255 
+  network-object 222.174.113.2 255.255.255.255 
+exit

 object-group network outside.id4388CFF8674.src.net.0
- network-object 58.33.181.83 255.255.255.255 
- network-object 58.53.82.190 255.255.255.255 
- network-object 58.231.13.78 255.255.255.255 
- network-object 61.150.47.112 255.255.255.255 
- network-object 61.184.14.102 255.255.255.255 
- network-object 64.106.85.186 255.255.255.255 
- network-object 70.228.60.100 255.255.255.255 
- network-object 80.51.236.6 255.255.255.255 
- network-object 80.243.72.149 255.255.255.255 
- network-object 80.249.77.34 255.255.255.255 
- network-object 81.2.36.254 255.255.255.255 
- network-object 81.196.74.125 255.255.255.255 
- network-object 82.77.37.174 255.255.255.255 
- network-object 82.117.221.205 255.255.255.255 
- network-object 82.143.196.17 255.255.255.255 
- network-object 84.90.8.198 255.255.255.255 
- network-object 151.8.224.178 255.255.255.255 
- network-object 168.156.76.20 255.255.255.255 
- network-object 193.207.126.36 255.255.255.255 
- network-object 195.136.186.35 255.255.255.255 
- network-object 196.15.136.15 255.255.255.255 
- network-object 201.10.180.138 255.255.255.255 
- network-object 201.17.93.16 255.255.255.255 
- network-object 201.36.156.121 255.255.255.255 
- network-object 202.96.112.93 255.255.255.255 
- network-object 202.103.25.253 255.255.255.255 
- network-object 203.162.3.209 255.255.255.255 
- network-object 203.209.124.144 255.255.255.255 
- network-object 210.106.193.237 255.255.255.255 
- network-object 210.222.114.102 255.255.255.255 
- network-object 211.144.143.143 255.255.255.255 
- network-object 211.172.218.237 255.255.255.255 
- network-object 211.250.16.132 255.255.255.255 
- network-object 212.21.241.31 255.255.255.255 
- network-object 212.100.212.100 255.255.255.255 
- network-object 218.18.72.252 255.255.255.255 
- network-object 218.39.114.122 255.255.255.255 
- network-object 218.55.115.43 255.255.255.255 
- network-object 218.104.138.146 255.255.255.255 
- network-object 219.132.104.160 255.255.255.255 
- network-object 220.71.17.86 255.255.255.255 
- network-object 220.81.50.105 255.255.255.255 
- network-object 220.91.99.46 255.255.255.255 
- network-object 221.14.249.242 255.255.255.255 
- network-object 221.166.177.135 255.255.255.255 
- network-object 221.198.33.38 255.255.255.255 
- network-object 221.202.160.233 255.255.255.255 
- network-object 221.205.54.125 255.255.255.255 
- network-object 221.217.44.248 255.255.255.255 
- network-object 222.100.212.223 255.255.255.255 
- network-object 222.121.118.144 255.255.255.255 
- network-object 222.174.113.2 255.255.255.255 
- exit
-
+  network-object 58.33.181.83 255.255.255.255 
+  network-object 58.53.82.190 255.255.255.255 
+  network-object 58.231.13.78 255.255.255.255 
+  network-object 61.150.47.112 255.255.255.255 
+  network-object 61.184.14.102 255.255.255.255 
+  network-object 64.106.85.186 255.255.255.255 
+  network-object 70.228.60.100 255.255.255.255 
+  network-object 80.51.236.6 255.255.255.255 
+  network-object 80.243.72.149 255.255.255.255 
+  network-object 80.249.77.34 255.255.255.255 
+  network-object 81.2.36.254 255.255.255.255 
+  network-object 81.196.74.125 255.255.255.255 
+  network-object 82.77.37.174 255.255.255.255 
+  network-object 82.117.221.205 255.255.255.255 
+  network-object 82.143.196.17 255.255.255.255 
+  network-object 84.90.8.198 255.255.255.255 
+  network-object 151.8.224.178 255.255.255.255 
+  network-object 168.156.76.20 255.255.255.255 
+  network-object 193.207.126.36 255.255.255.255 
+  network-object 195.136.186.35 255.255.255.255 
+  network-object 196.15.136.15 255.255.255.255 
+  network-object 201.10.180.138 255.255.255.255 
+  network-object 201.17.93.16 255.255.255.255 
+  network-object 201.36.156.121 255.255.255.255 
+  network-object 202.96.112.93 255.255.255.255 
+  network-object 202.103.25.253 255.255.255.255 
+  network-object 203.162.3.209 255.255.255.255 
+  network-object 203.209.124.144 255.255.255.255 
+  network-object 210.106.193.237 255.255.255.255 
+  network-object 210.222.114.102 255.255.255.255 
+  network-object 211.144.143.143 255.255.255.255 
+  network-object 211.172.218.237 255.255.255.255 
+  network-object 211.250.16.132 255.255.255.255 
+  network-object 212.21.241.31 255.255.255.255 
+  network-object 212.100.212.100 255.255.255.255 
+  network-object 218.18.72.252 255.255.255.255 
+  network-object 218.39.114.122 255.255.255.255 
+  network-object 218.55.115.43 255.255.255.255 
+  network-object 218.104.138.146 255.255.255.255 
+  network-object 219.132.104.160 255.255.255.255 
+  network-object 220.71.17.86 255.255.255.255 
+  network-object 220.81.50.105 255.255.255.255 
+  network-object 220.91.99.46 255.255.255.255 
+  network-object 221.14.249.242 255.255.255.255 
+  network-object 221.166.177.135 255.255.255.255 
+  network-object 221.198.33.38 255.255.255.255 
+  network-object 221.202.160.233 255.255.255.255 
+  network-object 221.205.54.125 255.255.255.255 
+  network-object 221.217.44.248 255.255.255.255 
+  network-object 222.100.212.223 255.255.255.255 
+  network-object 222.121.118.144 255.255.255.255 
+  network-object 222.174.113.2 255.255.255.255 
+exit

 object-group network outside.id21263X16880.src.net.0
- network-object 10.1.0.0 255.255.255.0 
- network-object 10.1.2.0 255.255.255.0 
- network-object 10.1.3.0 255.255.255.0 
- network-object 10.1.4.0 255.255.255.0 
- exit
-
+  network-object 10.1.0.0 255.255.255.0 
+  network-object 10.1.2.0 255.255.255.0 
+  network-object 10.1.3.0 255.255.255.0 
+  network-object 10.1.4.0 255.255.255.0 
+exit
 ! 
 ! Rule  0 (global)
 access-list outside_acl_in permit ip any 192.168.2.128 255.255.255.128 
--- a/test/pix/firewall4.fw.orig
+++ b/test/pix/firewall4.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:04 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:19 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@ -81,16 +81,14 @@ clear icmp
 clear telnet

 object-group service inside.id3D79A1C2.srv.tcp.0 tcp
- port-object eq 22
- port-object eq 80
- exit
-
+  port-object eq 22
+  port-object eq 80
+exit

 object-group network inside.id3D79A1E4.dst.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit
 ! 
 ! Rule  0 (global)
 access-list inside_acl_in permit tcp any host 192.168.1.10 eq 22 
--- a/test/pix/firewall50.fw.orig
+++ b/test/pix/firewall50.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:05 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@ -130,128 +130,116 @@ clear config icmp
 clear config telnet

 object-group network inside.id45142FA628543.dst.net.0
- network-object  host 211.11.11.11 
- network-object  host 211.22.22.22 
- exit
-
+  network-object host 211.11.11.11 
+  network-object host 211.22.22.22 
+exit

 object-group service inside.id45142FA628543.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+exit

 object-group icmp-type outside.id45142FCB28543.srv.icmp.0
- icmp-object 11
- icmp-object 0
- icmp-object 3
- exit
-
+  icmp-object 11
+  icmp-object 0
+  icmp-object 3
+exit

 object-group service outside.id45142FD728543.srv.tcp.0 tcp
- port-object eq 3128
- port-object eq 70
- port-object eq 6667
- port-object eq 23
- exit
-
+  port-object eq 3128
+  port-object eq 70
+  port-object eq 6667
+  port-object eq 23
+exit

 object-group service outside.id45142FD728543.srv.udp.0 udp
- port-object eq 161
- port-object eq 53
- exit
-
+  port-object eq 161
+  port-object eq 53
+exit

 object-group network outside.id45142FFC28543.dst.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit

 object-group network inside.id4514300A28543.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id4514301628543.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id4514302F28543.dst.net.0
- network-object  host 192.168.1.11 
- network-object  host 192.168.1.12 
- network-object  host 192.168.1.13 
- network-object  host 192.168.1.14 
- network-object  host 192.168.1.15 
- exit
-
+  network-object host 192.168.1.11 
+  network-object host 192.168.1.12 
+  network-object host 192.168.1.13 
+  network-object host 192.168.1.14 
+  network-object host 192.168.1.15 
+exit

 object-group service outside.id4514302F28543.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- port-object eq 3128
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+  port-object eq 3128
+exit

 object-group network outside.id4514303C28543.dst.net.0
- network-object 192.168.1.11 255.255.255.255 
- network-object 192.168.1.12 255.255.255.252 
- exit
-
+  network-object 192.168.1.11 255.255.255.255 
+  network-object 192.168.1.12 255.255.255.252 
+exit

 object-group service outside.id4514304928543.srv.tcp.0 tcp
- port-object eq 3128
- port-object range 10000 11000
- port-object eq 6667
- port-object eq 113
- port-object eq 53
- port-object eq 21
- port-object eq 80
- port-object eq 119
- port-object eq 25
- port-object eq 22
- port-object eq 23
- port-object eq 540
- port-object eq 70
- port-object eq 13
- port-object eq 2105
- port-object eq 443
- port-object eq 143
- port-object eq 993
- port-object eq 6667
- port-object eq 543
- port-object eq 544
- port-object eq 389
- port-object eq 98
- port-object eq 3306
- port-object eq 2049
- port-object eq 110
- port-object eq 5432
- port-object eq 515
- port-object eq 26000
- port-object eq 512
- port-object eq 513
- port-object eq 514
- port-object eq 4321
- port-object eq 465
- port-object eq 1080
- port-object eq 111
- port-object eq 7100
- exit
-
+  port-object eq 3128
+  port-object range 10000 11000
+  port-object eq 6667
+  port-object eq 113
+  port-object eq 53
+  port-object eq 21
+  port-object eq 80
+  port-object eq 119
+  port-object eq 25
+  port-object eq 22
+  port-object eq 23
+  port-object eq 540
+  port-object eq 70
+  port-object eq 13
+  port-object eq 2105
+  port-object eq 443
+  port-object eq 143
+  port-object eq 993
+  port-object eq 6667
+  port-object eq 543
+  port-object eq 544
+  port-object eq 389
+  port-object eq 98
+  port-object eq 3306
+  port-object eq 2049
+  port-object eq 110
+  port-object eq 5432
+  port-object eq 515
+  port-object eq 26000
+  port-object eq 512
+  port-object eq 513
+  port-object eq 514
+  port-object eq 4321
+  port-object eq 465
+  port-object eq 1080
+  port-object eq 111
+  port-object eq 7100
+exit
 ! 
 ! Rule  2 (ethernet1)
 icmp permit any 3  outside
--- a/test/pix/firewall6.fw.orig
+++ b/test/pix/firewall6.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:06 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:20 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall8.fw.orig
+++ b/test/pix/firewall8.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:07 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:21 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall80.fw.orig
+++ b/test/pix/firewall80.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:08 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:21 2011 PST by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported
@ -15,12 +15,7 @@
 !
 ! testing rules with broadcasts

-! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later
-! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later
-! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later
-! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later
-
-! N firewall80:NAT:0: error: CustomService objects are only supported for ASA 8.3 and later
+! N firewall80:NAT:0: error: CustomService objects are not supported in NAT rules

 !
 ! Prolog script:
@ -97,37 +92,25 @@ clear config object-group
 clear config icmp
 clear config telnet

-object-group service outside.id19186X29796.srv.mixed.0
- service-object udp eq 123
- service-object udp eq 53
- service-object tcp eq 53
- service-object tcp eq 25
- service-object icmp 8
- service-object icmp 0
- service-object 51
- service-object 50
- exit
+object-group icmp-type outside.id19186X29796.srv.icmp.0
+  icmp-object 8
+  icmp-object 0
+exit

+object-group service outside.id19186X29796.srv.tcp.0 tcp
+  port-object eq 53
+  port-object eq 25
+exit

-object-group service outside.id69378X1497.srv.mixed.0
- service-object icmp 
- service-object tcp range 0 65535
- exit
-
-
-object-group service inside.id21447X11252.srv.icmp.0
- service-object icmp 8
- service-object icmp 3
- exit
-
-
-object-group service inside.id21447X11252.srv.mixed.0
- service-object icmp 8
- service-object icmp 3
- service-object udp eq 53
- service-object tcp eq 3128
- exit
+object-group service outside.id19186X29796.srv.udp.0 udp
+  port-object eq 123
+  port-object eq 53
+exit

+object-group icmp-type inside.id21447X11252.srv.icmp.0
+  icmp-object 8
+  icmp-object 3
+exit
 ! 
 ! Rule  0 (FastEthernet1)
 ssh    0.0.0.0 0.0.0.0 inside
@ -144,8 +127,16 @@ icmp permit any 3  inside
 access-list inside_acl_in permit icmp any host 192.168.1.1 3 
 ! 
 ! Rule  4 (global)
-access-list outside_acl_in permit  any host 192.168.1.10 object-group outside.id19186X29796.srv.mixed.0 
-access-list inside_acl_in permit  any host 192.168.1.10 object-group outside.id19186X29796.srv.mixed.0 
+access-list outside_acl_in permit icmp any host 192.168.1.10 object-group outside.id19186X29796.srv.icmp.0 
+access-list inside_acl_in permit icmp any host 192.168.1.10 object-group outside.id19186X29796.srv.icmp.0 
+access-list outside_acl_in permit tcp any host 192.168.1.10 object-group outside.id19186X29796.srv.tcp.0 
+access-list inside_acl_in permit tcp any host 192.168.1.10 object-group outside.id19186X29796.srv.tcp.0 
+access-list outside_acl_in permit udp any host 192.168.1.10 object-group outside.id19186X29796.srv.udp.0 
+access-list inside_acl_in permit udp any host 192.168.1.10 object-group outside.id19186X29796.srv.udp.0 
+access-list outside_acl_in permit 50 any host 192.168.1.10 
+access-list inside_acl_in permit 50 any host 192.168.1.10 
+access-list outside_acl_in permit 51 any host 192.168.1.10 
+access-list inside_acl_in permit 51 any host 192.168.1.10 
 ! 
 ! Rule  5 (global)
 ! matching source ports
@ -164,8 +155,10 @@ access-list inside_acl_in deny   tcp any range 30000 30030 host 192.168.1.10
 ! matching "any" icmp and "all" tcp 
 ! in one service-group
 ! 
-access-list outside_acl_in deny    any host 192.168.1.10 object-group outside.id69378X1497.srv.mixed.0 
-access-list inside_acl_in deny    any host 192.168.1.10 object-group outside.id69378X1497.srv.mixed.0 
+access-list outside_acl_in deny   icmp any host 192.168.1.10 
+access-list inside_acl_in deny   icmp any host 192.168.1.10 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 
 ! 
 ! Rule  8 (global)
 ! for #1938 matching
@ -173,11 +166,21 @@ access-list inside_acl_in deny    any host 192.168.1.10 object-group outside.id6
 icmp permit 192.168.1.0 255.255.255.192 8 inside
 icmp permit 192.168.1.0 255.255.255.192 3 inside
 access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.192 host 192.168.1.1 object-group inside.id21447X11252.srv.icmp.0 
-access-list inside_acl_in permit  192.168.1.0 255.255.255.192 any object-group inside.id21447X11252.srv.mixed.0 
+access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.192 any object-group inside.id21447X11252.srv.icmp.0 
+access-list inside_acl_in permit tcp 192.168.1.0 255.255.255.192 any eq 3128 
+access-list inside_acl_in permit udp 192.168.1.0 255.255.255.192 any eq 53 
+! 
+! Rule  9 (global)
+! for #1942
+! using custom service
+access-list outside_acl_in deny   tcp any host 192.168.1.10 neq 8080 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 neq 8080 
 ! 
 ! Rule  10 (global)
 ! for #1942
 ! using custom service
+access-list outside_acl_in deny   tcp any host 192.168.1.10 neq 8080 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 neq 8080 
 access-list outside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
 access-list inside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
 ! 
--- a/test/pix/firewall81.fw.orig
+++ b/test/pix/firewall81.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:08 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:22 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -94,28 +94,15 @@ clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
-
-object service custom_serv_1
-  service resetinbound interface outside
-quit
-
-object-group service inside.id86733X27607.srv.mixed.0
- service-object icmp 
- service-object tcp range 0 65535
- exit
-
-
-object-group service inside.id127389X26962.srv.mixed.0
- service-object object custom_serv_1
- exit
-
 ! 
 ! Rule  0 (global)
 ! matching "any" icmp and "all" tcp 
 ! in one service-group
 ! 
-access-list inside_acl_in deny    any host 192.168.1.10 object-group inside.id86733X27607.srv.mixed.0 
-access-list outside_acl_in deny    any host 192.168.1.10 object-group inside.id86733X27607.srv.mixed.0 
+access-list inside_acl_in deny   icmp any host 192.168.1.10 
+access-list outside_acl_in deny   icmp any host 192.168.1.10 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 
 ! 
 ! Rule  1 (FastEthernet1)
 ! test rule using translated address in dst
@ -136,14 +123,14 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! Rule  4 (global)
 ! for #1942
 ! using custom service
-access-list inside_acl_in deny   tcp any host 192.168.1.10 object-group inside.id127389X26962.srv.mixed.0 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 object-group inside.id127389X26962.srv.mixed.0 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
 ! 
 ! Rule  5 (global)
 ! for #1942
 ! using custom service
-access-list inside_acl_in deny   tcp any host 192.168.1.10 object-group inside.id127389X26962.srv.mixed.0 
-access-list outside_acl_in deny   tcp any host 192.168.1.10 object-group inside.id127389X26962.srv.mixed.0 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
 access-list inside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
 access-list outside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
 ! 
@ -159,15 +146,15 @@ clear xlate
 clear config nat
 clear config object

-object service http
+object service http.0
  service tcp destination eq 80
 quit
-object network hostA:eth0
+object network hostA:eth0.0
  host 192.168.1.10
 quit
 ! 
 ! Rule  0 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service http http description "0 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"



--- a/test/pix/firewall82.fw.orig
+++ b/test/pix/firewall82.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:09 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:22 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -94,20 +94,15 @@ clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
-
-
-object-group service inside.id923611X27607.srv.mixed.0
- service-object icmp 
- service-object tcp range 0 65535
- exit
-
 ! 
 ! Rule  0 (global)
 ! matching "any" icmp and "all" tcp 
 ! in one service-group
 ! 
-access-list inside_acl_in deny    any host 192.168.1.10 object-group inside.id923611X27607.srv.mixed.0 
-access-list outside_acl_in deny    any host 192.168.1.10 object-group inside.id923611X27607.srv.mixed.0 
+access-list inside_acl_in deny   icmp any host 192.168.1.10 
+access-list outside_acl_in deny   icmp any host 192.168.1.10 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 
 ! 
 ! Rule  1 (FastEthernet1)
 ! test rule using translated address in dst
@ -137,15 +132,15 @@ clear xlate
 clear config nat
 clear config object

-object service http
+object service http.0
  service tcp destination eq 80
 quit
-object network hostA:eth0
+object network hostA:eth0.0
  host 192.168.1.10
 quit
 ! 
 ! Rule  0 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service http http description "0 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"



--- a/test/pix/firewall83.fw.orig
+++ b/test/pix/firewall83.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:10 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:22 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -92,20 +92,15 @@ clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
-
-
-object-group service inside.id923813X27607.srv.mixed.0
- service-object icmp 
- service-object tcp range 0 65535
- exit
-
 ! 
 ! Rule  0 (global)
 ! matching "any" icmp and "all" tcp 
 ! in one service-group
 ! 
-access-list inside_acl_in deny    any host 192.168.1.10 object-group inside.id923813X27607.srv.mixed.0 
-access-list outside_acl_in deny    any host 192.168.1.10 object-group inside.id923813X27607.srv.mixed.0 
+access-list inside_acl_in deny   icmp any host 192.168.1.10 
+access-list outside_acl_in deny   icmp any host 192.168.1.10 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 
 ! 
 ! Rule  1 (FastEthernet1)
 ! test rule using translated address in dst
@ -132,15 +127,15 @@ clear xlate
 clear config nat
 clear config object

-object network hostA:eth0
+object network hostA:eth0.0
  host 192.168.1.10
 quit
-object service http
+object service http.0
  service tcp destination eq 80
 quit
 ! 
 ! Rule  0 (NAT)
-nat (inside,outside) source static hostA:eth0 interface service http http description "0 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 interface service http.0 http.0 description "0 (NAT)"



--- a/test/pix/firewall9.fw.orig
+++ b/test/pix/firewall9.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:11 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:23 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall90.fw.orig
+++ b/test/pix/firewall90.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:11 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:23 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -18,6 +18,8 @@

 ! N firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with destination matching or translation
 ! N firewall90:NAT:14: error: Option 'translate dns' can not be used in combination with service matching or translation
+! N firewall90:NAT:19: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
+! N firewall90:NAT:24: error: CustomService objects are not supported in NAT rules

 !
 ! Prolog script:
@ -94,17 +96,29 @@ clear config object-group
 clear config icmp
 clear config telnet

-
 object-group network outside.id78630X30274.src.net.0
- network-object 10.1.2.0 255.255.255.0 
- network-object 10.1.3.0 255.255.255.0 
- exit
-
+  network-object 10.1.2.0 255.255.255.0 
+  network-object 10.1.3.0 255.255.255.0 
+exit
 ! 
 ! Rule  0 (global)
 access-list outside_acl_in deny   ip object-group outside.id78630X30274.src.net.0 any 
 ! 
 ! Rule  1 (global)
+! for #1942
+! using custom service
+access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+! 
+! Rule  2 (global)
+! for #1942
+! using custom service
+access-list inside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 tcp destination neq 8080 
+access-list inside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
+access-list outside_acl_in deny   tcp any host 192.168.1.10 eq 3128 
+! 
+! Rule  3 (global)
 access-list inside_acl_in deny   ip any any 
 access-list outside_acl_in deny   ip any any 

@ -116,251 +130,227 @@ clear xlate
 clear config nat
 clear config object

-object network Internal_net
+object network Internal_net.0
  subnet 192.168.1.0 255.255.255.0
 quit
-object service http
+object service http.0
  service tcp destination eq 80
 quit
-object network hostA:eth0
+object network hostA:eth0.0
  host 192.168.1.10
 quit
-object network spamhost1
+object network spamhost1.0
  host 61.150.47.112
 quit
-object service smtp
+object service smtp.0
  service tcp destination eq 25
 quit
-object network firewall90:FastEthernet1:ip-1
+object network firewall90:FastEthernet1:ip-1.0
  host 22.22.22.23
 quit
-object network internal_subnet_1
+object network internal_subnet_1.0
  subnet 192.168.1.0 255.255.255.192
 quit
-object network internal_subnet_2
+object network internal_subnet_2.0
  subnet 192.168.1.64 255.255.255.192
 quit
-object network test_range_1
+object network test_range_1.0
  range 192.168.1.11 192.168.1.15
 quit
-object network external_gw_1
+object network external_gw_1.0
  host 22.22.22.254
 quit
-object network outside_range
+object network outside_range.0
  range 22.22.22.21 22.22.22.25
 quit
-object network firewall90:FastEthernet1:ip
+object network firewall90:FastEthernet1:ip.0
  host 22.22.22.22
 quit
-object network external_gw2
+object network external_gw2.0
  host 22.22.22.100
 quit
-object network ext_subnet
+object network ext_subnet.0
  subnet 22.22.22.128 255.255.255.224
 quit
-object network outside_range-1
+object network outside_range-1.0
  range 22.22.22.30 22.22.22.40
 quit
-object service squid
+object service squid.0
  service tcp destination eq 3128
 quit
-object network spamhost2
+object network spamhost2.0
  host 61.150.47.113
 quit
-object service smtps
+object service smtps.0
  service tcp destination eq 465
 quit
-object service custom_serv_1
-  service resetinbound interface outside
-quit
-object network ext_subnet-192
+object network ext_subnet-192.0
  subnet 22.22.22.128 255.255.255.192
 quit

 object-group network outside.id178211X29963.osrc.net.0
- network-object object internal_subnet_1
- network-object object internal_subnet_2
- exit
-
+  network-object object internal_subnet_1.0
+  network-object object internal_subnet_2.0
+exit

 object-group network outside.id21353X4994.osrc.net.0
- network-object object internal_subnet_1
- network-object object Internal_net
- network-object object internal_subnet_2
- exit
-
+  network-object object internal_subnet_1.0
+  network-object object Internal_net.0
+  network-object object internal_subnet_2.0
+exit

 object-group network outside.id130599X29063.tsrc.net.0
- network-object object outside_range
- network-object object firewall90:FastEthernet1:ip
- network-object object external_gw2
- exit
-
+  network-object object outside_range.0
+  network-object object firewall90:FastEthernet1:ip.0
+  network-object object external_gw2.0
+exit

 object-group network outside.id20720X27505.tsrc.net.0
- network-object object outside_range
- network-object object external_gw2
- exit
-
+  network-object object outside_range.0
+  network-object object external_gw2.0
+exit

 object-group network outside.id241772X29764.tsrc.net.0
- network-object object outside_range
- exit
-
+  network-object object outside_range.0
+exit

 object-group network outside.id643092X27990.tsrc.net.0
- network-object object ext_subnet
- exit
-
+  network-object object ext_subnet.0
+exit

 object-group network outside.id21121X3710.tsrc.net.0
- network-object object outside_range-1
- network-object object external_gw2
- exit
-
+  network-object object outside_range-1.0
+  network-object object external_gw2.0
+exit

 object-group network outside.id21177X3720.tsrc.net.0
- network-object object ext_subnet
- exit
-
+  network-object object ext_subnet.0
+exit

 object-group network outside.id77971X5929.odst.net.0
- network-object object spamhost1
- network-object object spamhost2
- exit
-
+  network-object object spamhost1.0
+  network-object object spamhost2.0
+exit

 object-group network outside.id77971X5929.tsrc.net.0
- network-object object outside_range-1
- network-object object external_gw2
- exit
-
+  network-object object outside_range-1.0
+  network-object object external_gw2.0
+exit

 object-group network outside.id77971X5929.tsrc.net.1
- network-object object outside_range-1
- network-object object external_gw2
- exit
-
-
-object-group service outside.id127056X21575.osrv.mixed.0
- service-object object custom_serv_1
- exit
-
+  network-object object outside_range-1.0
+  network-object object external_gw2.0
+exit
 ! 
 ! Rule  0 (NAT)
-nat (inside,outside) source dynamic Internal_net interface service http http description "0 (NAT)"
+nat (inside,outside) source dynamic Internal_net.0 interface service http.0 http.0 description "0 (NAT)"
 ! 
 ! Rule  1 (NAT)
-nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1 destination static spamhost1 spamhost1 service smtp smtp description "1 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "1 (NAT)"
 ! 
 ! Rule  2 (NAT)
-nat (inside,outside) source static hostA:eth0 interface service smtp smtp description "2 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 interface service smtp.0 smtp.0 description "2 (NAT)"
 ! 
 ! Rule  3 (NAT)
-nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp description "3 (NAT)"
+nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 description "3 (NAT)"
 ! 
 ! Rule  4 (NAT)
 ! for #1928
 ! note that group in OSrc includes another group
-nat (inside,outside) source dynamic outside.id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp description "4 (NAT)"
+nat (inside,outside) source dynamic outside.id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 description "4 (NAT)"
 ! 
 ! Rule  5 (NAT)
-nat (inside,outside) source dynamic test_range_1 firewall90:FastEthernet1:ip-1 destination static spamhost1 spamhost1 service smtp smtp description "5 (NAT)"
+nat (inside,outside) source dynamic test_range_1.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "5 (NAT)"
 ! 
 ! Rule  6 (NAT)
-nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1 destination static spamhost1 external_gw_1 service smtp smtp description "6 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 external_gw_1.0 service smtp.0 smtp.0 description "6 (NAT)"
 ! 
 ! Rule  7 (NAT)
 ! For #1907
-nat (inside,outside) source dynamic hostA:eth0 outside.id130599X29063.tsrc.net.0 service smtp smtp description "7 (NAT)"
+nat (inside,outside) source dynamic hostA:eth0.0 outside.id130599X29063.tsrc.net.0 service smtp.0 smtp.0 description "7 (NAT)"
 ! 
 ! Rule  8 (NAT)
 ! For #1907
-nat (inside,outside) source dynamic hostA:eth0 outside.id20720X27505.tsrc.net.0 interface service smtp smtp description "8 (NAT)"
+nat (inside,outside) source dynamic hostA:eth0.0 outside.id20720X27505.tsrc.net.0 interface service smtp.0 smtp.0 description "8 (NAT)"
 ! 
 ! Rule  9 (NAT)
 ! For #1907
-nat (inside,outside) source dynamic hostA:eth0 outside.id241772X29764.tsrc.net.0 interface service smtp smtp description "9 (NAT)"
+nat (inside,outside) source dynamic hostA:eth0.0 outside.id241772X29764.tsrc.net.0 interface service smtp.0 smtp.0 description "9 (NAT)"
 ! 
 ! Rule  10 (NAT)
 ! For #1907
-nat (inside,outside) source static hostA:eth0 hostA:eth0 service smtp smtp description "10 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 hostA:eth0.0 service smtp.0 smtp.0 description "10 (NAT)"
 ! 
 ! Rule  11 (NAT)
 ! For #1907
-nat (inside,outside) source dynamic hostA:eth0 outside.id643092X27990.tsrc.net.0 interface service smtp smtp description "11 (NAT)"
+nat (inside,outside) source dynamic hostA:eth0.0 outside.id643092X27990.tsrc.net.0 interface service smtp.0 smtp.0 description "11 (NAT)"
 ! 
 ! Rule  12 (NAT)
 ! for #1902
-nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 dns description "12 (NAT)"
+nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 dns description "12 (NAT)"
 ! 
 ! Rule  13 (NAT)
 ! for #1902
 ! can't use dns with destination matching or translation
 ! firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with destination matching or translation
-nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 destination static spamhost1 spamhost1 dns description "13 (NAT)"
+nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 dns description "13 (NAT)"
 ! 
 ! Rule  14 (NAT)
 ! for #1902
 ! cant use dns with service translation either
 ! firewall90:NAT:14: error: Option 'translate dns' can not be used in combination with service matching or translation
-nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service smtp smtp dns description "14 (NAT)"
+nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 dns description "14 (NAT)"
 ! 
 ! Rule  15 (NAT)
 ! for #1908
 ! "static" vs "dynamic"
-nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1 description "15 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 description "15 (NAT)"
 ! 
 ! Rule  16 (NAT)
 ! for #1908
 ! "static" vs "dynamic"
-nat (inside,outside) source dynamic hostA:eth0 outside_range description "16 (NAT)"
+nat (inside,outside) source dynamic hostA:eth0.0 outside_range.0 description "16 (NAT)"
 ! 
 ! Rule  17 (NAT)
 ! for #1908  "static" vs "dynamic"
 ! for #1885 "named object" - create 
 ! for #1907 "multiple objects in TSrc"
 ! network object to define address range, then add it to object-group
-nat (inside,outside) source dynamic hostA:eth0 outside.id21121X3710.tsrc.net.0 interface description "17 (NAT)"
+nat (inside,outside) source dynamic hostA:eth0.0 outside.id21121X3710.tsrc.net.0 interface description "17 (NAT)"
 ! 
 ! Rule  18 (NAT)
 ! for #1908, #1916 "static" vs "dynamic"
 ! for #1907 "multiple objects in TSrc"
-nat (inside,outside) source dynamic hostA:eth0 outside.id21177X3720.tsrc.net.0 interface description "18 (NAT)"
+nat (inside,outside) source dynamic hostA:eth0.0 outside.id21177X3720.tsrc.net.0 interface description "18 (NAT)"
 ! 
 ! Rule  19 (NAT)
 ! for #1908
 ! "static" vs "dynamic"
-nat (outside,outside) source dynamic outside_range firewall90:FastEthernet1:ip-1 description "19 (NAT)"
+! firewall90:NAT:19: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
+nat (outside,outside) source dynamic outside_range.0 firewall90:FastEthernet1:ip-1.0 description "19 (NAT)"
 ! 
 ! Rule  20 (NAT)
 ! for #1908
 ! "static" vs "dynamic"
-nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 description "20 (NAT)"
+nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 description "20 (NAT)"
 ! 
 ! Rule  21 (NAT)
 ! for #1908
 ! "static" vs "dynamic"
-nat (inside,outside) source static internal_subnet_1 firewall90:FastEthernet1:ip-1 description "21 (NAT)"
+nat (inside,outside) source static internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 description "21 (NAT)"
 ! 
 ! Rule  22 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid description "22 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 squid.0 description "22 (NAT)"
 ! 
 ! Rule  23 (NAT)
 ! multiple objects in OSrc, ODst, OSrv and TSrc in various combinations
-nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp smtp description "23 (NAT)"
-nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps smtps description "23 (NAT)"
-! 
-! Rule  24 (NAT)
-! for #1942
-! using custom service
-! note that the rule makese no sense at all
-nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service outside.id127056X21575.osrv.mixed.0 custom_serv_1 description "24 (NAT)"
+nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp.0 smtp.0 description "23 (NAT)"
+nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps.0 smtps.0 description "23 (NAT)"
 ! 
 ! Rule  25 (NAT)
 ! for #1916
 ! "static" vs "dynamic" when TSrc is subnet
-nat (inside,outside) source static internal_subnet_1 ext_subnet-192 description "25 (NAT)"
+nat (inside,outside) source static internal_subnet_1.0 ext_subnet-192.0 description "25 (NAT)"



--- a/test/pix/firewall91.fw.orig
+++ b/test/pix/firewall91.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:12 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:23 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -97,7 +97,6 @@ clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
-
 ! 
 ! Rule  0 (global)
 access-list inside_acl_in deny   ip any any 
@ -111,66 +110,66 @@ clear xlate
 clear config nat
 clear config object

-object network hostA:eth0
+object network hostA:eth0.0
  host 192.168.1.10
 quit
-object network external_gw2
+object network external_gw2.0
  host 22.22.22.100
 quit
-object service http
+object service http.0
  service tcp destination eq 80
 quit
-object service squid
+object service squid.0
  service tcp destination eq 3128
 quit
-object service https
+object service https.0
  service tcp destination eq 443
 quit
-object network outside_range
+object network outside_range.0
  range 22.22.22.21 22.22.22.25
 quit
-object network internal_subnet_1
+object network internal_subnet_1.0
  subnet 192.168.1.0 255.255.255.192
 quit
-object network test_range_1
+object network test_range_1.0
  range 192.168.1.11 192.168.1.15
 quit
 ! 
 ! Rule  0 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 description "0 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "0 (NAT)"
 ! 
 ! Rule  1 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 description "1 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "1 (NAT)"
 ! 
 ! Rule  2 (NAT)
-nat (outside,inside) source static any any destination static external_gw2 hostA:eth0 description "2 (NAT)"
+nat (outside,inside) source static any any destination static external_gw2.0 hostA:eth0.0 description "2 (NAT)"
 ! 
 ! Rule  3 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service http http description "3 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "3 (NAT)"
 ! 
 ! Rule  4 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service http http description "4 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "4 (NAT)"
 ! 
 ! Rule  5 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid description "5 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 squid.0 description "5 (NAT)"
 ! 
 ! Rule  6 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service https https description "6 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service https.0 https.0 description "6 (NAT)"
 ! 
 ! Rule  7 (NAT)
-nat (outside,inside) source static any any destination static interface hostA:eth0 service http http description "7 (NAT)"
+nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "7 (NAT)"
 ! 
 ! Rule  10 (NAT)
 ! for #1941
-nat (outside,inside) source static any any destination static outside_range hostA:eth0 description "10 (NAT)"
+nat (outside,inside) source static any any destination static outside_range.0 hostA:eth0.0 description "10 (NAT)"
 ! 
 ! Rule  11 (NAT)
 ! for #1941
-nat (inside,outside) source dynamic internal_subnet_1 interface destination static outside_range hostA:eth0 description "11 (NAT)"
+nat (inside,outside) source dynamic internal_subnet_1.0 interface destination static outside_range.0 hostA:eth0.0 description "11 (NAT)"
 ! 
 ! Rule  12 (NAT)
 ! translating one range into another.
-nat (outside,inside) source static any any destination static outside_range test_range_1 description "12 (NAT)"
+nat (outside,inside) source static any any destination static outside_range.0 test_range_1.0 description "12 (NAT)"



--- a/test/pix/firewall92.fw.orig
+++ b/test/pix/firewall92.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:13 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:24 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -92,7 +92,6 @@ clear config access-list
 clear config object-group
 clear config icmp
 clear config telnet
-
 ! 
 ! Rule  0 (global)
 access-list inside_acl_in deny   ip any any 
@ -106,51 +105,50 @@ clear xlate
 clear config nat
 clear config object

-object network Internal_net
+object network Internal_net.0
  subnet 192.168.1.0 255.255.255.0
 quit
-object service http
+object service http.0
  service tcp destination eq 80
 quit
-object network hostA:eth0
+object network hostA:eth0.0
  host 192.168.1.10
 quit
-object service smtp
+object service smtp.0
  service tcp destination eq 25
 quit
-object network spamhost1
+object network spamhost1.0
  host 61.150.47.112
 quit
-object network internal_subnet_1
+object network internal_subnet_1.0
  subnet 192.168.1.0 255.255.255.192
 quit
-object network internal_subnet_2
+object network internal_subnet_2.0
  subnet 192.168.1.64 255.255.255.192
 quit
-object network test_range_1
+object network test_range_1.0
  range 192.168.1.11 192.168.1.15
 quit

 object-group network outside.id20655X6113.osrc.net.0
- network-object object internal_subnet_1
- network-object object internal_subnet_2
- exit
-
+  network-object object internal_subnet_1.0
+  network-object object internal_subnet_2.0
+exit
 ! 
 ! Rule  0 (NAT)
-nat (inside,outside) source static Internal_net Internal_net service http http description "0 (NAT)"
+nat (inside,outside) source static Internal_net.0 Internal_net.0 service http.0 http.0 description "0 (NAT)"
 ! 
 ! Rule  1 (NAT)
-nat (inside,outside) source static hostA:eth0 hostA:eth0 service smtp smtp description "1 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 hostA:eth0.0 service smtp.0 smtp.0 description "1 (NAT)"
 ! 
 ! Rule  2 (NAT)
-nat (inside,outside) source static hostA:eth0 hostA:eth0 destination static spamhost1 spamhost1 service smtp smtp description "2 (NAT)"
+nat (inside,outside) source static hostA:eth0.0 hostA:eth0.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "2 (NAT)"
 ! 
 ! Rule  3 (NAT)
-nat (inside,outside) source static outside.id20655X6113.osrc.net.0 outside.id20655X6113.osrc.net.0 service smtp smtp description "3 (NAT)"
+nat (inside,outside) source static outside.id20655X6113.osrc.net.0 outside.id20655X6113.osrc.net.0 service smtp.0 smtp.0 description "3 (NAT)"
 ! 
 ! Rule  4 (NAT)
-nat (inside,outside) source static test_range_1 test_range_1 destination static spamhost1 spamhost1 service smtp smtp description "4 (NAT)"
+nat (inside,outside) source static test_range_1.0 test_range_1.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "4 (NAT)"



--- a/test/pix/firewall93.fw.orig
+++ b/test/pix/firewall93.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:13 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:24 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@ -94,16 +94,16 @@ clear xlate
 clear config nat
 clear config object

-object network inside-range-1
+object network inside-range-1.0
  range 10.0.0.1 10.0.0.5
 quit
-object network dmz-range-1
+object network dmz-range-1.0
  range 172.16.0.10 172.16.0.15
 quit
 ! 
 ! Rule  0 (NAT)
-nat (inside,outside) source dynamic inside-range-1 interface description "0 (NAT)"
-nat (dmz,outside) source dynamic dmz-range-1 interface description "0 (NAT)"
+nat (inside,outside) source dynamic inside-range-1.0 interface description "0 (NAT)"
+nat (dmz,outside) source dynamic dmz-range-1.0 interface description "0 (NAT)"



--- a/test/pix/fwsm1.fw.orig
+++ b/test/pix/fwsm1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:14 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:25 2011 PST by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported
@ -114,128 +114,116 @@ clear icmp
 clear telnet

 object-group network inside.id444A03DE9567.dst.net.0
- network-object  host 211.11.11.11 
- network-object  host 211.22.22.22 
- exit
-
+  network-object host 211.11.11.11 
+  network-object host 211.22.22.22 
+exit

 object-group service inside.id444A03DE9567.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+exit

 object-group icmp-type outside.id444A04039567.srv.icmp.0
- icmp-object 11
- icmp-object 0
- icmp-object 3
- exit
-
+  icmp-object 11
+  icmp-object 0
+  icmp-object 3
+exit

 object-group service outside.id444A040F9567.srv.tcp.0 tcp
- port-object eq 3128
- port-object eq 70
- port-object eq 6667
- port-object eq 23
- exit
-
+  port-object eq 3128
+  port-object eq 70
+  port-object eq 6667
+  port-object eq 23
+exit

 object-group service outside.id444A040F9567.srv.udp.0 udp
- port-object eq 161
- port-object eq 53
- exit
-
+  port-object eq 161
+  port-object eq 53
+exit

 object-group network outside.id444A04349567.dst.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit

 object-group network inside.id444A04429567.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id444A044E9567.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id444A04679567.dst.net.0
- network-object  host 192.168.1.11 
- network-object  host 192.168.1.12 
- network-object  host 192.168.1.13 
- network-object  host 192.168.1.14 
- network-object  host 192.168.1.15 
- exit
-
+  network-object host 192.168.1.11 
+  network-object host 192.168.1.12 
+  network-object host 192.168.1.13 
+  network-object host 192.168.1.14 
+  network-object host 192.168.1.15 
+exit

 object-group service outside.id444A04679567.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- port-object eq 3128
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+  port-object eq 3128
+exit

 object-group network outside.id444A04749567.dst.net.0
- network-object 192.168.1.11 255.255.255.255 
- network-object 192.168.1.12 255.255.255.252 
- exit
-
+  network-object 192.168.1.11 255.255.255.255 
+  network-object 192.168.1.12 255.255.255.252 
+exit

 object-group service outside.id444A04819567.srv.tcp.0 tcp
- port-object eq 3128
- port-object range 10000 11000
- port-object eq 6667
- port-object eq 113
- port-object eq 53
- port-object eq 21
- port-object eq 80
- port-object eq 119
- port-object eq 25
- port-object eq 22
- port-object eq 23
- port-object eq 540
- port-object eq 70
- port-object eq 13
- port-object eq 2105
- port-object eq 443
- port-object eq 143
- port-object eq 993
- port-object eq 6667
- port-object eq 543
- port-object eq 544
- port-object eq 389
- port-object eq 98
- port-object eq 3306
- port-object eq 2049
- port-object eq 110
- port-object eq 5432
- port-object eq 515
- port-object eq 26000
- port-object eq 512
- port-object eq 513
- port-object eq 514
- port-object eq 4321
- port-object eq 465
- port-object eq 1080
- port-object eq 111
- port-object eq 7100
- exit
-
+  port-object eq 3128
+  port-object range 10000 11000
+  port-object eq 6667
+  port-object eq 113
+  port-object eq 53
+  port-object eq 21
+  port-object eq 80
+  port-object eq 119
+  port-object eq 25
+  port-object eq 22
+  port-object eq 23
+  port-object eq 540
+  port-object eq 70
+  port-object eq 13
+  port-object eq 2105
+  port-object eq 443
+  port-object eq 143
+  port-object eq 993
+  port-object eq 6667
+  port-object eq 543
+  port-object eq 544
+  port-object eq 389
+  port-object eq 98
+  port-object eq 3306
+  port-object eq 2049
+  port-object eq 110
+  port-object eq 5432
+  port-object eq 515
+  port-object eq 26000
+  port-object eq 512
+  port-object eq 513
+  port-object eq 514
+  port-object eq 4321
+  port-object eq 465
+  port-object eq 1080
+  port-object eq 111
+  port-object eq 7100
+exit
 ! 
 ! Rule  2 (ethernet1)
 icmp permit any 3  outside
--- a/test/pix/fwsm2.fw.orig
+++ b/test/pix/fwsm2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:15 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:25 2011 PST by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported
@ -125,128 +125,116 @@ clear config icmp
 clear config telnet

 object-group network inside.id17298X54624.dst.net.0
- network-object  host 211.11.11.11 
- network-object  host 211.22.22.22 
- exit
-
+  network-object host 211.11.11.11 
+  network-object host 211.22.22.22 
+exit

 object-group service inside.id17298X54624.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+exit

 object-group icmp-type outside.id17335X54624.srv.icmp.0
- icmp-object 11
- icmp-object 0
- icmp-object 3
- exit
-
+  icmp-object 11
+  icmp-object 0
+  icmp-object 3
+exit

 object-group service outside.id17347X54624.srv.tcp.0 tcp
- port-object eq 3128
- port-object eq 70
- port-object eq 6667
- port-object eq 23
- exit
-
+  port-object eq 3128
+  port-object eq 70
+  port-object eq 6667
+  port-object eq 23
+exit

 object-group service outside.id17347X54624.srv.udp.0 udp
- port-object eq 161
- port-object eq 53
- exit
-
+  port-object eq 161
+  port-object eq 53
+exit

 object-group network outside.id17384X54624.dst.net.0
- network-object  host 192.168.1.10 
- network-object  host 192.168.1.20 
- exit
-
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit

 object-group network inside.id17398X54624.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id17410X54624.dst.net.0
- network-object 192.168.1.250 255.255.255.254 
- network-object 192.168.1.252 255.255.255.252 
- exit
-
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit

 object-group network outside.id17435X54624.dst.net.0
- network-object  host 192.168.1.11 
- network-object  host 192.168.1.12 
- network-object  host 192.168.1.13 
- network-object  host 192.168.1.14 
- network-object  host 192.168.1.15 
- exit
-
+  network-object host 192.168.1.11 
+  network-object host 192.168.1.12 
+  network-object host 192.168.1.13 
+  network-object host 192.168.1.14 
+  network-object host 192.168.1.15 
+exit

 object-group service outside.id17435X54624.srv.tcp.0 tcp
- port-object eq 113
- port-object eq 80
- port-object eq 25
- port-object eq 22
- port-object eq 540
- port-object eq 443
- port-object eq 143
- port-object eq 3128
- exit
-
+  port-object eq 113
+  port-object eq 80
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+  port-object eq 443
+  port-object eq 143
+  port-object eq 3128
+exit

 object-group network outside.id17448X54624.dst.net.0
- network-object 192.168.1.11 255.255.255.255 
- network-object 192.168.1.12 255.255.255.252 
- exit
-
+  network-object 192.168.1.11 255.255.255.255 
+  network-object 192.168.1.12 255.255.255.252 
+exit

 object-group service outside.id17461X54624.srv.tcp.0 tcp
- port-object eq 3128
- port-object range 10000 11000
- port-object eq 6667
- port-object eq 113
- port-object eq 53
- port-object eq 21
- port-object eq 80
- port-object eq 119
- port-object eq 25
- port-object eq 22
- port-object eq 23
- port-object eq 540
- port-object eq 70
- port-object eq 13
- port-object eq 2105
- port-object eq 443
- port-object eq 143
- port-object eq 993
- port-object eq 6667
- port-object eq 543
- port-object eq 544
- port-object eq 389
- port-object eq 98
- port-object eq 3306
- port-object eq 2049
- port-object eq 110
- port-object eq 5432
- port-object eq 515
- port-object eq 26000
- port-object eq 512
- port-object eq 513
- port-object eq 514
- port-object eq 4321
- port-object eq 465
- port-object eq 1080
- port-object eq 111
- port-object eq 7100
- exit
-
+  port-object eq 3128
+  port-object range 10000 11000
+  port-object eq 6667
+  port-object eq 113
+  port-object eq 53
+  port-object eq 21
+  port-object eq 80
+  port-object eq 119
+  port-object eq 25
+  port-object eq 22
+  port-object eq 23
+  port-object eq 540
+  port-object eq 70
+  port-object eq 13
+  port-object eq 2105
+  port-object eq 443
+  port-object eq 143
+  port-object eq 993
+  port-object eq 6667
+  port-object eq 543
+  port-object eq 544
+  port-object eq 389
+  port-object eq 98
+  port-object eq 3306
+  port-object eq 2049
+  port-object eq 110
+  port-object eq 5432
+  port-object eq 515
+  port-object eq 26000
+  port-object eq 512
+  port-object eq 513
+  port-object eq 514
+  port-object eq 4321
+  port-object eq 465
+  port-object eq 1080
+  port-object eq 111
+  port-object eq 7100
+exit
 ! 
 ! Rule  2 (ethernet1)
 icmp permit any 3  outside
--- a/test/pix/pix515.fw.orig
+++ b/test/pix/pix515.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:16 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:26 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/real.fw.orig
+++ b/test/pix/real.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3437
+!  Firewall Builder  fwb_pix v4.2.0.3439
 !
-!  Generated Mon Jan 17 17:54:17 2011 PST by vadim
+!  Generated Wed Jan 19 18:23:26 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported