onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/pix/cluster1-1_pix1.fw.orig
Vadim Kurland 59f40e5d71 * PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM 
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
2011-04-14 12:11:15 -07:00

215 lines
5.2 KiB
Plaintext
Executable File
Raw Blame History

!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 12:07:26 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
! Emulate outbound ACLs: yes
! Generating outbound ACLs: yes
! Assume firewall is part of any: yes
!
!# files: * cluster1-1_pix1.fw
!
!
! pix1::: warning: Interface Ethernet0 has vlan subinterfaces, it can not be used for ACL. Marking this interface "unprotected" to exclude it.
!
! Prolog script:
!
!
! End of prolog script:
!
hostname pix1
interface Ethernet1
nameif inside
ip address 10.3.14.206 255.255.255.0 standby 10.3.14.207
security-level 100
exit
interface Ethernet0
no nameif
no ip address
no security-level
exit
interface Ethernet2
description LAN/STATE Failover Interface
no nameif
exit
interface Ethernet0.101
vlan 101
nameif outside
ip address 192.0.2.253 255.255.255.0 standby 192.0.2.254
security-level 0
exit
interface Ethernet0.102
vlan 102
nameif dmz20
ip address 10.0.0.253 255.255.255.0 standby 10.0.0.254
security-level 20
exit
failover lan unit primary
failover lan interface failover Ethernet2
failover lan enable
failover key super_secret
failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254
failover link failover Ethernet2
failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254
failover
no logging buffered
no logging console
no logging timestamp
no logging on
timeout xlate 0:0:30
timeout conn 0:0:0
timeout udp 0:0:0
timeout sunrpc 0:0:0
timeout h323 0:0:0
timeout sip 0:0:0
timeout sip_media 0:0:0
timeout half-closed 0:0:0
timeout uauth 0:0:0
clear config ssh
aaa authentication ssh console LOCAL
clear config snmp-server
no snmp-server enable traps
clear config ntp
no service resetinbound
no service resetoutside
no sysopt connection timewait
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear config object-group
clear config object
object-group network id56590X61097.src.net.0
network-object host 10.3.14.206
network-object host 10.3.14.207
exit
object-group network id56590X61097.src.net.1
network-object host 172.17.1.253
network-object host 172.17.1.254
network-object host 192.0.2.253
network-object host 192.0.2.254
exit
object-group network id56590X61097.src.net.2
network-object host 10.0.0.253
network-object host 10.0.0.254
exit
object-group network id56627X61097.src.net.0
network-object host 172.17.1.253
network-object host 192.0.2.253
exit
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
access-list outside_in deny ip object-group id56590X61097.src.net.0 any log 2 interval 300
access-list outside_in deny ip object-group id56590X61097.src.net.1 any log 2 interval 300
access-list outside_in deny ip object-group id56590X61097.src.net.2 any log 2 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300
!
! Rule 1 (global)
! SSH Access to firewall is permitted
! only from internal network
ssh 10.3.14.0 255.255.255.0 inside
!
! Rule 2 (global)
ssh 10.3.14.0 255.255.255.0 inside
!
! Rule 3 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group id56627X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
!
! Rule 4 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp object-group id56590X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group id56590X61097.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group id56590X61097.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
!
! Rule 5 (global)
! All other attempts to connect to
! the firewall are denied and logged
access-list inside_in deny ip any object-group id56590X61097.src.net.0 log 2 interval 300
access-list inside_in deny ip any object-group id56590X61097.src.net.1 log 2 interval 300
access-list inside_in deny ip any object-group id56590X61097.src.net.2 log 2 interval 300
!
! Rule 6 (global)
access-list inside_in permit ip 10.3.14.0 255.255.255.0 any
access-list inside_out permit ip 10.3.14.0 255.255.255.0 any
!
! Rule 7 (global)
access-list inside_in deny ip any any log 2 interval 300
access-list inside_out deny ip any any log 2 interval 300
access-group inside_in in interface inside
access-group inside_out out interface inside
access-group outside_in in interface outside
!
! Rule 0 (NAT)
global (outside) 1 interface
access-list id56689X61097.0 permit ip 10.3.14.0 255.255.255.0 any
nat (inside) 1 access-list id56689X61097.0 tcp 0 0
!
! Epilog script:
!
! End of epilog script:
!
Reference in New Issue View Git Blame Copy Permalink