with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
files upon closing editor panel". If user opened two data files in
the GUI and was in the process of editing objects in one of them,
the GUI would flip to the other file under certin circumstances.
see #2265 "ASA 8.3 acl import: access-list commands using two
named objects or object-groups", see #2290 "Access lists that
include mix of service objects and inline service definitions are
not properly imported". To import access-list command that matches
both source and destination tcp/udp ports and uses object-group in
either match I should create a new service group with a collection
of TCP or UDP service objects matching all combinations of source
and destination port ranges defined by the rule. This should work
when one or both matches use object-group in combination with
inline port match.
importer enounters access-list command that matches tcp or udp
ports with "neq" port operators in both source and
destination. This configuration is not supported by import at this
time.
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
access-list destination address and original service not set".
"Nat" and "static" commands that use access-list should import all
components of the access-list command (source, destination and
service/protocol).
nat rule has wrong interface defined". Importer mixed up inbound
and outbound interfaces in NAT commands created from combination
of "global" and "nat" PIX/ASA commands.
ends up with rules being created with duplicate rule
numbers". Also see #2172 "Crash when deleting rule - related to
#2171". When user deleted the last rule in a rule set, then used
Undo to restore it, the program lost track of rules in the rule
set and became unstable.
same service object-group that matches some tcp or udp ports can
be used to match both source and destination ports in an
access-list command. Importer should recognize when such group
is used to match source ports and create mirrored group with
potentially mirrored service objects. This should work when group
includes other groups.
test cases in asa8.3-acl.test
