mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 17:57:22 +01:00
4d6302a4cc
3213019 "FWSM Network zone and IPv6". Currently we do not support ipv6 with PIX/ASA and FWSM. If user creates a group to be used as network zone object and places ipv6 address in it, this address should be ignored while compiling the policy but this should not be an error.
694 lines
30 KiB
Plaintext
Executable File
694 lines
30 KiB
Plaintext
Executable File
!
|
|
! This is automatically generated file. DO NOT MODIFY !
|
|
!
|
|
! Firewall Builder fwb_pix v4.2.0.3519
|
|
!
|
|
! Generated Thu Apr 7 10:50:12 2011 PDT by vadim
|
|
!
|
|
! Compiled for pix 6.2
|
|
! Outbound ACLs: not supported
|
|
! Emulate outbound ACLs: yes
|
|
! Generating outbound ACLs: no
|
|
! Assume firewall is part of any: yes
|
|
!
|
|
!# files: * firewall.fw
|
|
!
|
|
! this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule
|
|
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '2 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '6 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '13 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '14 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '20 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '25 (global)' below it
|
|
! C firewall:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
|
|
! C firewall:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule
|
|
|
|
! N firewall:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier.
|
|
|
|
! R firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
! R firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
! R firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
! R firewall:Routing:7: error: MultiPath routing not supported by platform
|
|
! R firewall:Routing:8: warning: Two of the sub rules created from the gui routing rules 7 (main) and 8 (main) are identical, skipping the second. Revise them to avoid this warning
|
|
|
|
!
|
|
! Prolog script:
|
|
!
|
|
|
|
!
|
|
! End of prolog script:
|
|
!
|
|
|
|
|
|
|
|
|
|
hostname firewall
|
|
|
|
nameif ethernet1 outside security0
|
|
|
|
nameif ethernet0 inside security100
|
|
|
|
nameif ethernet2 dmz security50
|
|
|
|
|
|
|
|
logging host inside 192.168.1.30
|
|
logging queue 512
|
|
logging facility 16
|
|
logging trap 1
|
|
no logging buffered
|
|
no logging console
|
|
no logging timestamp
|
|
logging on
|
|
|
|
|
|
timeout xlate 3:0:0
|
|
timeout conn 1:0:0
|
|
timeout udp 0:2:0
|
|
timeout rpc 0:10:0
|
|
timeout h323 0:5:0
|
|
timeout sip 0:30:0
|
|
timeout sip_media 0:0:0
|
|
timeout half-closed 0:0:0
|
|
timeout uauth 2:0:0 absolute
|
|
|
|
telnet timeout 5
|
|
|
|
clear ssh
|
|
aaa authentication ssh console LOCAL
|
|
ssh timeout 5
|
|
|
|
clear snmp-server
|
|
snmp-server community public
|
|
snmp-server enable traps
|
|
snmp-server host inside 192.168.1.20 poll
|
|
snmp-server host inside 192.168.1.22 trap
|
|
|
|
clear ntp
|
|
ntp server 192.168.1.20 source inside prefer
|
|
|
|
|
|
no service resetinbound
|
|
no service resetoutside
|
|
sysopt connection tcpmss 1380
|
|
sysopt connection timewait
|
|
sysopt security fragguard
|
|
sysopt nodnsalias inbound
|
|
sysopt nodnsalias outbound
|
|
no sysopt route dnat
|
|
floodguard disable
|
|
|
|
|
|
fixup protocol ftp 21
|
|
fixup protocol http 80
|
|
fixup protocol h323 h225 1720
|
|
fixup protocol h323 ras 1718-1719
|
|
fixup protocol ils 389
|
|
fixup protocol rsh 514
|
|
fixup protocol rtsp 554
|
|
fixup protocol sip 5060
|
|
fixup protocol skinny 2000
|
|
fixup protocol smtp 25
|
|
fixup protocol sqlnet 1521
|
|
|
|
clear xlate
|
|
clear static
|
|
clear global
|
|
clear nat
|
|
clear access-list dmz_acl_in
|
|
clear access-list inside_acl_in
|
|
clear access-list outside_acl_in
|
|
clear icmp
|
|
clear telnet
|
|
clear object-group
|
|
|
|
|
|
|
|
object-group network id3C4E4C38.dst.net.0
|
|
network-object host 211.11.11.11
|
|
network-object host 211.22.22.22
|
|
exit
|
|
|
|
object-group service id3C4E4C38.srv.tcp.0 tcp
|
|
port-object eq 113
|
|
port-object eq 80
|
|
port-object eq 443
|
|
port-object eq 143
|
|
port-object eq 25
|
|
port-object eq 22
|
|
port-object eq 540
|
|
exit
|
|
|
|
object-group icmp-type id3D8FCE32.srv.icmp.0
|
|
icmp-object 3
|
|
icmp-object 0
|
|
icmp-object 11
|
|
exit
|
|
|
|
object-group service pol-firewall2-2.srv.tcp.0 tcp
|
|
port-object eq 70
|
|
port-object eq 6667
|
|
port-object eq 3128
|
|
port-object eq 23
|
|
exit
|
|
|
|
object-group service pol-firewall2-2.srv.udp.0 udp
|
|
port-object eq 53
|
|
port-object eq 161
|
|
exit
|
|
|
|
object-group network pol-firewall2-3.dst.net.0
|
|
network-object host 192.168.1.10
|
|
network-object host 192.168.1.20
|
|
exit
|
|
|
|
object-group network id3E155E82.dst.net.0
|
|
network-object 192.168.1.250 255.255.255.254
|
|
network-object 192.168.1.252 255.255.255.252
|
|
exit
|
|
|
|
object-group network id3D0F8031.dst.net.0
|
|
network-object 192.168.1.250 255.255.255.254
|
|
network-object 192.168.1.252 255.255.255.252
|
|
exit
|
|
|
|
object-group network id3CD87B1E.dst.net.0
|
|
network-object host 192.168.1.11
|
|
network-object host 192.168.1.12
|
|
network-object host 192.168.1.13
|
|
network-object host 192.168.1.14
|
|
network-object host 192.168.1.15
|
|
exit
|
|
|
|
object-group service id3CD87B1E.srv.tcp.0 tcp
|
|
port-object eq 113
|
|
port-object eq 80
|
|
port-object eq 443
|
|
port-object eq 143
|
|
port-object eq 25
|
|
port-object eq 3128
|
|
port-object eq 22
|
|
port-object eq 540
|
|
exit
|
|
|
|
object-group network id3CD8770E.dst.net.0
|
|
network-object 192.168.1.11 255.255.255.255
|
|
network-object 192.168.1.12 255.255.255.252
|
|
exit
|
|
|
|
object-group service pol-firewall2-4.srv.tcp.0 tcp
|
|
port-object eq 113
|
|
port-object eq 13
|
|
port-object eq 53
|
|
port-object eq 2105
|
|
port-object eq 21
|
|
port-object eq 70
|
|
port-object eq 80
|
|
port-object eq 443
|
|
port-object eq 143
|
|
port-object eq 993
|
|
port-object eq 6667
|
|
port-object eq 6667
|
|
port-object eq 543
|
|
port-object eq 544
|
|
port-object eq 389
|
|
port-object eq 98
|
|
port-object eq 3306
|
|
port-object eq 2049
|
|
port-object eq 119
|
|
port-object eq 110
|
|
port-object eq 5432
|
|
port-object eq 515
|
|
port-object eq 26000
|
|
port-object eq 512
|
|
port-object eq 513
|
|
port-object eq 514
|
|
port-object eq 4321
|
|
port-object eq 25
|
|
port-object eq 465
|
|
port-object eq 1080
|
|
port-object eq 3128
|
|
port-object eq 22
|
|
port-object eq 111
|
|
port-object eq 23
|
|
port-object range 10000 11000
|
|
port-object eq 540
|
|
port-object eq 7100
|
|
exit
|
|
|
|
|
|
!################
|
|
|
|
clear access-list tmp_acl
|
|
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
|
|
access-list tmp_acl deny ip any any
|
|
|
|
access-group tmp_acl in interface outside
|
|
access-group tmp_acl in interface inside
|
|
|
|
!
|
|
! Rule -1 backup ssh access rule (automatic)
|
|
ssh 192.168.1.100 255.255.255.255 inside
|
|
!
|
|
! Rule 0 (global)
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '13 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '14 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '2 (ethernet1)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '20 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '25 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '6 (ethernet0)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it
|
|
! firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
|
|
access-list outside_acl_in deny ip any any
|
|
access-list inside_acl_in deny ip any any
|
|
access-list dmz_acl_in deny ip any any
|
|
!
|
|
! Rule 2 (ethernet1)
|
|
! комментарий по-русски
|
|
icmp permit any 3 outside
|
|
access-list outside_acl_in permit icmp any host 22.22.22.22 3
|
|
access-list outside_acl_in permit icmp any any 3
|
|
!
|
|
! Rule 3 (ethernet1)
|
|
! anti-spoofing rule
|
|
! firewall:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
|
|
|
|
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
|
|
!
|
|
! Rule 4 (ethernet0)
|
|
ssh 192.168.1.0 255.255.255.0 inside
|
|
!
|
|
! Rule 5 (ethernet0)
|
|
access-list inside_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0
|
|
!
|
|
! Rule 6 (ethernet0)
|
|
access-list inside_acl_in deny ip any host 192.168.1.255
|
|
!
|
|
! Rule 8 (global)
|
|
access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id3D8FCE32.srv.icmp.0
|
|
access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id3D8FCE32.srv.icmp.0
|
|
access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id3D8FCE32.srv.icmp.0
|
|
!
|
|
! Rule 9 (global)
|
|
access-list outside_acl_in permit icmp any host 192.168.1.10
|
|
access-list inside_acl_in permit icmp any host 192.168.1.10
|
|
access-list dmz_acl_in permit icmp any host 192.168.1.10
|
|
access-list outside_acl_in permit tcp any host 192.168.1.10 object-group pol-firewall2-2.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any host 192.168.1.10 object-group pol-firewall2-2.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group pol-firewall2-2.srv.tcp.0
|
|
access-list outside_acl_in permit udp any host 192.168.1.10 object-group pol-firewall2-2.srv.udp.0
|
|
access-list inside_acl_in permit udp any host 192.168.1.10 object-group pol-firewall2-2.srv.udp.0
|
|
access-list dmz_acl_in permit udp any host 192.168.1.10 object-group pol-firewall2-2.srv.udp.0
|
|
access-list outside_acl_in permit 47 any host 192.168.1.10
|
|
access-list inside_acl_in permit 47 any host 192.168.1.10
|
|
access-list dmz_acl_in permit 47 any host 192.168.1.10
|
|
!
|
|
! Rule 10 (global)
|
|
access-list outside_acl_in permit icmp any host 22.22.22.22 3
|
|
icmp permit any 3 inside
|
|
access-list inside_acl_in permit icmp any host 192.168.1.1 3
|
|
icmp permit any 3 dmz
|
|
access-list dmz_acl_in permit icmp any host 192.168.2.1 3
|
|
access-list outside_acl_in permit icmp any any 3
|
|
access-list inside_acl_in permit icmp any any 3
|
|
access-list dmz_acl_in permit icmp any any 3
|
|
access-list outside_acl_in permit 47 any any
|
|
access-list inside_acl_in permit 47 any any
|
|
access-list dmz_acl_in permit 47 any any
|
|
access-list outside_acl_in permit 50 any any
|
|
access-list inside_acl_in permit 50 any any
|
|
access-list dmz_acl_in permit 50 any any
|
|
!
|
|
! Rule 12 (global)
|
|
access-list outside_acl_in permit ip object-group id3C4E4C38.dst.net.0 object-group pol-firewall2-3.dst.net.0
|
|
!
|
|
! Rule 13 (global)
|
|
! firewall:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule
|
|
|
|
access-list inside_acl_in permit tcp host 192.168.1.10 object-group id3E155E82.dst.net.0 eq 3128
|
|
!
|
|
! Rule 14 (global)
|
|
access-list outside_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128
|
|
access-list inside_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128
|
|
access-list dmz_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128
|
|
!
|
|
! Rule 15 (global)
|
|
access-list outside_acl_in permit icmp any host 22.22.22.22 3
|
|
access-list inside_acl_in permit icmp any host 192.168.1.1 3
|
|
access-list dmz_acl_in permit icmp any host 192.168.2.1 3
|
|
access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
|
|
access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80
|
|
access-list dmz_acl_in permit tcp any host 192.168.2.1 eq 80
|
|
!
|
|
! Rule 16 (global)
|
|
access-list outside_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0
|
|
!
|
|
! Rule 17 (global)
|
|
access-list outside_acl_in permit tcp any object-group id3CD8770E.dst.net.0 object-group id3CD87B1E.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any object-group id3CD8770E.dst.net.0 object-group id3CD87B1E.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any object-group id3CD8770E.dst.net.0 object-group id3CD87B1E.srv.tcp.0
|
|
!
|
|
! Rule 18 (global)
|
|
access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group pol-firewall2-4.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group pol-firewall2-4.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group pol-firewall2-4.srv.tcp.0
|
|
!
|
|
! Rule 19 (global)
|
|
! objects hostA and hostB are
|
|
! redundant and should be removed by
|
|
! removeRedundantAddressesFromDst
|
|
access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
|
|
access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
|
|
access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
|
|
access-list outside_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000
|
|
access-list inside_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000
|
|
access-list dmz_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000
|
|
!
|
|
! Rule 20 (global)
|
|
access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80
|
|
access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80
|
|
access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80
|
|
!
|
|
! Rule 23 (global)
|
|
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22
|
|
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1
|
|
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1
|
|
!
|
|
! Rule 24 (global)
|
|
access-list outside_acl_in permit ip host 22.22.22.22 any
|
|
access-list inside_acl_in permit ip host 192.168.1.1 any
|
|
access-list dmz_acl_in permit ip host 192.168.2.1 any
|
|
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
|
|
!
|
|
! Rule 25 (global)
|
|
access-list outside_acl_in deny ip any any
|
|
access-list inside_acl_in deny ip any any
|
|
access-list dmz_acl_in deny ip any any
|
|
|
|
|
|
access-group dmz_acl_in in interface dmz
|
|
access-group inside_acl_in in interface inside
|
|
access-group outside_acl_in in interface outside
|
|
|
|
!
|
|
! Rule 0 (NAT)
|
|
global (outside) 1 interface
|
|
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
|
|
global (dmz) 1 interface
|
|
!
|
|
!
|
|
! Rule 1 (NAT)
|
|
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
|
|
!
|
|
! Rule 2 (NAT)
|
|
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
|
|
!
|
|
!
|
|
! Rule 3 (NAT)
|
|
global (outside) 1 22.22.22.0 netmask 255.255.255.0
|
|
!
|
|
!
|
|
! Rule 4 (NAT)
|
|
global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0
|
|
!
|
|
!
|
|
! Rule 5 (NAT)
|
|
static (inside,outside) tcp interface 25 192.168.1.10 25 0 0
|
|
!
|
|
! Rule 6 (NAT)
|
|
! firewall:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier.
|
|
|
|
global (inside) 8 interface
|
|
nat (dmz) 8 192.168.2.0 255.255.255.0 outside
|
|
!
|
|
! Rule 7 (NAT)
|
|
|
|
clear access-list nat0.inside
|
|
access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
|
|
nat (inside) 0 access-list nat0.inside
|
|
!
|
|
! Rule 8 (NAT)
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
|
|
!
|
|
! Rule 9 (NAT)
|
|
nat (dmz) 0 0 0
|
|
!
|
|
! Rule 10 (NAT)
|
|
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
|
|
!
|
|
! Rule 11 (NAT)
|
|
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
|
|
|
|
!
|
|
! Rule 0 (main)
|
|
!
|
|
! "Routing rule 0 (main)"
|
|
!
|
|
!
|
|
!
|
|
route outside 0.0.0.0 0.0.0.0 22.22.22.254 1
|
|
!
|
|
! Rule 1 (main)
|
|
!
|
|
! "Routing rule 1 (main)"
|
|
!
|
|
!
|
|
!
|
|
route inside 10.3.14.0 255.255.255.0 192.168.1.254 1
|
|
!
|
|
! Rule 2 (main)
|
|
!
|
|
! "Routing rule 2 (main)"
|
|
!
|
|
!
|
|
!
|
|
route inside 10.1.2.0 255.255.255.0 192.168.1.254 1
|
|
!
|
|
! Rule 3 (main)
|
|
!
|
|
! "Routing rule 3 (main)"
|
|
!
|
|
!
|
|
!
|
|
! firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
|
|
route 10.1.3.0 255.255.255.0 192.168.1.254 1
|
|
!
|
|
! Rule 4 (main)
|
|
!
|
|
! "Routing rule 4 (main)"
|
|
!
|
|
!
|
|
!
|
|
! firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
|
|
route inside 10.1.4.0 255.255.255.0 1
|
|
!
|
|
! Rule 5 (main)
|
|
!
|
|
! "Routing rule 5 (main)"
|
|
!
|
|
!
|
|
!
|
|
! firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
|
|
route 10.1.5.0 255.255.255.0 1
|
|
!
|
|
! Rule 6 (main)
|
|
!
|
|
! "Routing rule 6 (main)"
|
|
!
|
|
!
|
|
!
|
|
route outside 33.33.33.0 255.255.255.0 22.22.22.100 1
|
|
!
|
|
! Rule 7 (main)
|
|
!
|
|
! "Routing rule 7 (main)"
|
|
!
|
|
|
|
!
|
|
! Epilog script:
|
|
!
|
|
|
|
! End of epilog script:
|
|
!
|