onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

refs #1902 Add NAT rule option "translate dns" for PIX

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-11 10:55:53 -08:00
parent ff6f43b3e6
commit d4f9c04aeb
43 changed files with 251 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/ChangeLog
View File

@ -1,5 +1,9 @@
2011-01-11 vadim <vadim@netcitadel.com>
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1902 "Add NAT
rule option "translate dns" for PIX". The option is only available
for ASA 8.3 or later.
* NATCompiler_asa8_writers.cpp (printSDNAT): fixed #1909 "ASA NAT
- static nat port translation where service is the same for
original service and translated service not generated correctly"

44
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -64,20 +64,44 @@ NATCompiler_asa8::NATCompiler_asa8(FWObjectDatabase *_db,
{
}
/*
* Option "translate dns" can not be used if the rule has "destination"
* part.
*/
bool NATCompiler_asa8::VerifyValidityOfDNSOption::processNext()
{
NATRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *ropt = rule->getOptionsObject();
if (ropt->getBool("asa8_nat_dns"))
{
Address *odst = compiler->getFirstODst(rule); assert(odst);
if (!odst->isAny())
{
compiler->abort(rule,
"Option 'translate dns' can not be used in combination "
"with destination matching or translation");
}
Service *osrv = compiler->getFirstOSrv(rule); assert(osrv);
if (!osrv->isAny())
{
compiler->abort(rule,
"Option 'translate dns' can not be used in combination "
"with service matching or translation");
}
}
tmp_queue.push_back(rule);
return true;
}
bool NATCompiler_asa8::VerifyRules::processNext()
{
NATRule *rule = getNext(); if (rule==NULL) return false;
string version = compiler->fw->getStr("version");
// if (rule->getRuleType()==NATRule::SDNAT)
// {
// compiler->abort(
// rule,
// "Rules that translate both source and destination are not supported.");
// return true;
// }
RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc);
RuleElementODst *odst=rule->getODst(); assert(odst);
RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv);
@ -264,6 +288,8 @@ void NATCompiler_asa8::compile()
"verify rule elements for static NAT rules"));
add( new processNONATRules("process NONAT" ));
add( new VerifyValidityOfDNSOption("Check validity of 'translate dns' option"));
/* REMOVE_OLD_OPTIMIZATIONS
if (fw->getOptionsObject()->getBool("pix_optimize_default_nat"))
add (new clearOSrc ("clear OSrc" ));

7
src/cisco_lib/NATCompiler_asa8.h
View File

@ -57,7 +57,12 @@ namespace fwcompiler {
DECLARE_NAT_RULE_PROCESSOR(VerifyRules);
DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForNat);
/*
* Check if "translate dns" option can be used with the rule
*/
DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfDNSOption);
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints PIX commands to clear

4
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -161,6 +161,8 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
// NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ];
FWOptions *ropt = rule->getOptionsObject();
QStringList cmd;
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
@ -214,6 +216,8 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
cmd << pix_comp->getASA8Object(tsrv)->getCommandWord();
}
if (ropt->getBool("asa8_nat_dns")) cmd << "dns";
compiler->output << cmd.join(" ").toStdString() << endl;
}

27
src/libgui/NATRuleOptionsDialog.cpp
View File

@ -71,11 +71,13 @@ void NATRuleOptionsDialog::getHelpName(QString *str)
void NATRuleOptionsDialog::loadFWObject(FWObject *o)
{
obj=o;
obj = o;
FWObject *p=obj;
while ( !Firewall::cast(p) ) p=p->getParent();
platform=p->getStr("platform").c_str();
FWObject *p = obj;
while ( !Firewall::cast(p) ) p = p->getParent();
platform = p->getStr("platform").c_str();
string version = p->getStr("version");
Rule *rule = dynamic_cast<Rule*>(o);
FWOptions *ropt = rule->getOptionsObject();
@ -85,10 +87,10 @@ void NATRuleOptionsDialog::loadFWObject(FWObject *o)
// .arg(rule->getTypeName().c_str())
// .arg(rule->getPosition()));
int wid=0;
int wid = 0;
if (platform=="ipf") wid=0;
if (platform=="ipfw") wid=0;
if (platform=="pix" || platform=="fwsm") wid=0;
if (platform=="pix" || platform=="fwsm") wid = 3;
if (platform=="iptables") wid=1;
if (platform=="pf") wid=2;
@ -102,12 +104,12 @@ void NATRuleOptionsDialog::loadFWObject(FWObject *o)
data.registerOption(m_dialog->ipt_use_snat_instead_of_masq, ropt,
"ipt_use_snat_instead_of_masq");
data.registerOption(m_dialog->ipt_nat_random, ropt, "ipt_nat_random");
data.registerOption(m_dialog->ipt_nat_persistent, ropt, "ipt_nat_persistent");
data.registerOption(m_dialog->ipt_nat_persistent,ropt,"ipt_nat_persistent");
}
if (platform=="pf")
{
data.registerOption(m_dialog->pf_pool_type_none, ropt, "pf_pool_type_none" );
data.registerOption(m_dialog->pf_pool_type_none, ropt, "pf_pool_type_none");
data.registerOption(m_dialog->pf_bitmask , ropt, "pf_bitmask" );
data.registerOption(m_dialog->pf_random , ropt, "pf_random" );
data.registerOption(m_dialog->pf_source_hash , ropt, "pf_source_hash" );
@ -115,7 +117,14 @@ void NATRuleOptionsDialog::loadFWObject(FWObject *o)
data.registerOption(m_dialog->pf_static_port , ropt, "pf_static_port" );
}
init=true;
if (platform=="pix" || platform=="fwsm")
{
m_dialog->asa8_nat_dns->setEnabled(
libfwbuilder::XMLTools::version_compare(version,"8.3")>=0);
data.registerOption(m_dialog->asa8_nat_dns , ropt, "asa8_nat_dns" );
}
init = true;
data.loadAll();
//apply->setEnabled( false );
init=false;

48
src/libgui/natruleoptionsdialog_q.ui
View File

@ -23,7 +23,7 @@
<enum>QFrame::Sunken</enum>
</property>
<property name="currentIndex">
<number>1</number>
<number>3</number>
</property>
<widget class="QWidget" name="WStackPage">
<layout class="QVBoxLayout">
@ -283,6 +283,36 @@
</item>
</layout>
</widget>
<widget class="QWidget" name="ASA8NATRuleOptions">
<layout class="QGridLayout" name="gridLayout_3">
<property name="margin">
<number>12</number>
</property>
<property name="spacing">
<number>12</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="asa8_nat_dns">
<property name="text">
<string>Make this NAT rule translate DNS replies. You also need to enable DNS inspection in the firewall object advanced settings dialog.</string>
</property>
</widget>
</item>
<item row="1" column="0">
<spacer name="verticalSpacer_3">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>265</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
</layout>
@ -433,6 +463,22 @@
</hint>
</hints>
</connection>
<connection>
<sender>asa8_nat_dns</sender>
<signal>stateChanged(int)</signal>
<receiver>NATRuleOptionsDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel">
<x>470</x>
<y>32</y>
</hint>
<hint type="destinationlabel">
<x>470</x>
<y>172</y>
</hint>
</hints>
</connection>
</connections>
<slots>
<slot>changed()</slot>

5
src/libgui/platforms.cpp
View File

@ -360,6 +360,11 @@ bool isDefaultNATRuleOptions(FWOptions *opt)
! opt->getBool("pf_round_robin") &&
! opt->getBool("pf_static_port") ) );
}
if (platform=="pix" || platform=="fwsm")
{
res = (!opt->getBool("asa8_nat_dns"));
}
}
return res;
}

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:22 2011 PST by vadim
! Generated Tue Jan 11 10:54:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:22 2011 PST by vadim
! Generated Tue Jan 11 10:54:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:21 2011 PST by vadim
! Generated Tue Jan 11 10:54:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:21 2011 PST by vadim
! Generated Tue Jan 11 10:54:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:25:58 2011 PST by vadim
! Generated Tue Jan 11 10:54:04 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:25:58 2011 PST by vadim
! Generated Tue Jan 11 10:54:05 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:25:59 2011 PST by vadim
! Generated Tue Jan 11 10:54:05 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:00 2011 PST by vadim
! Generated Tue Jan 11 10:54:06 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:01 2011 PST by vadim
! Generated Tue Jan 11 10:54:07 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:01 2011 PST by vadim
! Generated Tue Jan 11 10:54:07 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:02 2011 PST by vadim
! Generated Tue Jan 11 10:54:08 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:03 2011 PST by vadim
! Generated Tue Jan 11 10:54:09 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:03 2011 PST by vadim
! Generated Tue Jan 11 10:54:09 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:05 2011 PST by vadim
! Generated Tue Jan 11 10:54:11 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:04 2011 PST by vadim
! Generated Tue Jan 11 10:54:10 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:05 2011 PST by vadim
! Generated Tue Jan 11 10:54:11 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:06 2011 PST by vadim
! Generated Tue Jan 11 10:54:12 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:07 2011 PST by vadim
! Generated Tue Jan 11 10:54:13 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:08 2011 PST by vadim
! Generated Tue Jan 11 10:54:14 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:08 2011 PST by vadim
! Generated Tue Jan 11 10:54:15 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:09 2011 PST by vadim
! Generated Tue Jan 11 10:54:16 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:10 2011 PST by vadim
! Generated Tue Jan 11 10:54:16 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:11 2011 PST by vadim
! Generated Tue Jan 11 10:54:17 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:11 2011 PST by vadim
! Generated Tue Jan 11 10:54:18 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported

2
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:12 2011 PST by vadim
! Generated Tue Jan 11 10:54:19 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:13 2011 PST by vadim
! Generated Tue Jan 11 10:54:19 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:13 2011 PST by vadim
! Generated Tue Jan 11 10:54:20 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:14 2011 PST by vadim
! Generated Tue Jan 11 10:54:21 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

21
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:15 2011 PST by vadim
! Generated Tue Jan 11 10:54:21 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -16,7 +16,8 @@
! testing new style ASA 8.3 nat commands
! SNAT rules
! N firewall90:NAT:10: error: Option 'translate dns' can not be used in combination with destination matching or translation
! N firewall90:NAT:11: error: Option 'translate dns' can not be used in combination with service matching or translation
!
! Prolog script:
@ -180,6 +181,22 @@ nat (inside,outside) source dynamic hostA:eth0 external_gw2 service smtp smtp
! For #1907
nat (inside,outside) source dynamic hostA:eth0 outside_range service smtp smtp
nat (inside,outside) source dynamic hostA:eth0 interface service smtp smtp
!
! Rule 9 (NAT)
! for #1902
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 dns
!
! Rule 10 (NAT)
! for #1902
! can't use dns with destination matching or translation
! firewall90:NAT:10: error: Option 'translate dns' can not be used in combination with destination matching or translation
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 destination static spamhost1 spamhost1 dns
!
! Rule 11 (NAT)
! for #1902
! cant use dns with service translation either
! firewall90:NAT:11: error: Option 'translate dns' can not be used in combination with service matching or translation
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service smtp smtp dns

2
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:15 2011 PST by vadim
! Generated Tue Jan 11 10:54:22 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:16 2011 PST by vadim
! Generated Tue Jan 11 10:54:23 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:17 2011 PST by vadim
! Generated Tue Jan 11 10:54:23 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

2
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:18 2011 PST by vadim
! Generated Tue Jan 11 10:54:24 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

82
test/pix/objects-for-regression-tests.fwb
View File

@ -18228,7 +18228,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294770341" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294771876" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -18313,7 +18313,9 @@ no sysopt nodnsalias outbound
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
<NATRuleOptions>
<Option name="asa8_nat_dns">False</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id20069X32406" disabled="False" group="" position="4" action="Translate" comment="">
<OSrc neg="False">
@ -18334,7 +18336,9 @@ no sysopt nodnsalias outbound
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
<NATRuleOptions>
<Option name="asa8_nat_dns">False</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id178073X29963" disabled="False" group="" position="5" action="Translate" comment="">
<OSrc neg="False">
@ -18431,6 +18435,78 @@ no sysopt nodnsalias outbound
<Option name="color">#C0BA44</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id168272X32146" disabled="False" group="" position="9" action="Translate" comment="for #1902&#10;">
<OSrc neg="False">
<ObjectRef ref="id178241X29963"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id20049X29963"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="asa8_nat_dns">True</Option>
<Option name="color">#8BC065</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id168336X32146" disabled="False" group="" position="10" action="Translate" comment="for #1902&#10;can't use dns with destination matching or translation&#10;">
<OSrc neg="False">
<ObjectRef ref="id178241X29963"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4388C37D674"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id20049X29963"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="asa8_nat_dns">True</Option>
<Option name="color">#8BC065</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id168390X32146" disabled="False" group="" position="11" action="Translate" comment="for #1902&#10;cant use dns with service translation either&#10;">
<OSrc neg="False">
<ObjectRef ref="id178241X29963"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id20049X29963"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="asa8_nat_dns">True</Option>
<Option name="color">#8BC065</Option>
</NATRuleOptions>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id19857X26146" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:19 2011 PST by vadim
! Generated Tue Jan 11 10:54:25 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3427
!
! Generated Tue Jan 11 10:26:19 2011 PST by vadim
! Generated Tue Jan 11 10:54:26 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported