mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-21 02:37:16 +01:00
59f40e5d71
move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script.
181 lines
4.4 KiB
Plaintext
Executable File
181 lines
4.4 KiB
Plaintext
Executable File
!
|
|
! This is automatically generated file. DO NOT MODIFY !
|
|
!
|
|
! Firewall Builder fwb_pix v4.2.0.3526
|
|
!
|
|
! Generated Thu Apr 14 12:07:14 2011 PDT by vadim
|
|
!
|
|
! Compiled for pix 6.3
|
|
! Outbound ACLs: not supported
|
|
! Emulate outbound ACLs: yes
|
|
! Generating outbound ACLs: no
|
|
! Assume firewall is part of any: no
|
|
!
|
|
!# files: * firewall12.fw
|
|
!
|
|
! this firewall has DMZ using routable address
|
|
|
|
|
|
|
|
!
|
|
! Prolog script:
|
|
!
|
|
|
|
!
|
|
! End of prolog script:
|
|
!
|
|
|
|
|
|
|
|
|
|
hostname firewall12
|
|
|
|
nameif ethernet0 outside security0
|
|
ip address outside dhcp setroute retry 10
|
|
|
|
nameif ethernet1 inside security100
|
|
ip address inside 10.3.14.20 255.255.255.0
|
|
|
|
nameif ethernet2 dmz50 security50
|
|
ip address dmz50 192.0.2.1 255.255.255.0
|
|
|
|
|
|
|
|
logging host inside 10.3.14.10 format emblem
|
|
logging queue 1000
|
|
logging facility 16
|
|
no logging buffered
|
|
no logging console
|
|
no logging timestamp
|
|
logging on
|
|
logging device-id string real_firewall
|
|
|
|
|
|
timeout xlate 0:0:30
|
|
timeout conn 0:0:0
|
|
timeout udp 0:0:0
|
|
timeout rpc 0:0:0
|
|
timeout h323 0:0:0
|
|
timeout sip 0:0:0
|
|
timeout sip_media 0:0:0
|
|
timeout half-closed 0:0:0
|
|
timeout uauth 0:0:0 absolute
|
|
|
|
telnet timeout 5
|
|
|
|
clear ssh
|
|
aaa authentication ssh console LOCAL
|
|
ssh timeout 5
|
|
|
|
snmp-server community public
|
|
snmp-server enable traps
|
|
snmp-server host inside 10.3.14.40 poll
|
|
|
|
ntp server 10.3.14.30 source inside
|
|
|
|
|
|
no service resetinbound
|
|
no service resetoutside
|
|
no sysopt connection timewait
|
|
no sysopt nodnsalias inbound
|
|
no sysopt nodnsalias outbound
|
|
floodguard disable
|
|
|
|
|
|
fixup protocol dns maximum-length 65535
|
|
fixup protocol ftp 21
|
|
fixup protocol http 80
|
|
fixup protocol icmp error
|
|
|
|
!################
|
|
clear object-group
|
|
|
|
|
|
object-group network id3F8F95CD.dst.net.0
|
|
network-object host 192.0.2.20
|
|
network-object host 192.0.2.21
|
|
network-object host 192.0.2.23
|
|
exit
|
|
|
|
!
|
|
! Rule 0 (global)
|
|
access-list inside_acl_in remark 0 (global)
|
|
access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any
|
|
!
|
|
! Rule 1 (global)
|
|
ssh 10.3.14.0 255.255.255.0 inside
|
|
!
|
|
! Rule 2 (global)
|
|
icmp permit any 0 outside
|
|
access-list outside_acl_in remark 2 (global)
|
|
access-list outside_acl_in permit icmp any interface outside 0
|
|
icmp permit any 0 inside
|
|
access-list inside_acl_in remark 2 (global)
|
|
access-list inside_acl_in permit icmp any host 10.3.14.20 0
|
|
icmp permit any 0 dmz50
|
|
access-list dmz50_acl_in remark 2 (global)
|
|
access-list dmz50_acl_in permit icmp any host 192.0.2.1 0
|
|
!
|
|
! Rule 3 (global)
|
|
! this comment
|
|
! consists of
|
|
! 3 lines of text
|
|
access-list outside_acl_in remark 3 (global)
|
|
access-list outside_acl_in remark this comment
|
|
access-list outside_acl_in remark consists of
|
|
access-list outside_acl_in remark 3 lines of text
|
|
access-list outside_acl_in permit tcp any interface outside eq 80
|
|
access-list outside_acl_in permit tcp any object-group id3F8F95CD.dst.net.0 eq 80
|
|
access-list inside_acl_in remark 3 (global)
|
|
access-list inside_acl_in remark this comment
|
|
access-list inside_acl_in remark consists of
|
|
access-list inside_acl_in remark 3 lines of text
|
|
access-list inside_acl_in permit tcp any object-group id3F8F95CD.dst.net.0 eq 80
|
|
access-list dmz50_acl_in remark 3 (global)
|
|
access-list dmz50_acl_in remark this comment
|
|
access-list dmz50_acl_in remark consists of
|
|
access-list dmz50_acl_in remark 3 lines of text
|
|
access-list dmz50_acl_in permit tcp any object-group id3F8F95CD.dst.net.0 eq 80
|
|
!
|
|
! Rule 4 (global)
|
|
access-list outside_acl_in remark 4 (global)
|
|
access-list outside_acl_in permit tcp any interface outside eq 80
|
|
!
|
|
! Rule 5 (global)
|
|
access-list dmz50_acl_in remark 5 (global)
|
|
access-list dmz50_acl_in permit tcp any host 192.0.2.1 eq 80
|
|
!
|
|
! Rule 6 (global)
|
|
access-list outside_acl_in remark 6 (global)
|
|
access-list outside_acl_in deny ip any any log 5 interval 120
|
|
access-list inside_acl_in remark 6 (global)
|
|
access-list inside_acl_in deny ip any any log 5 interval 120
|
|
access-list dmz50_acl_in remark 6 (global)
|
|
access-list dmz50_acl_in deny ip any any log 5 interval 120
|
|
|
|
|
|
access-group dmz50_acl_in in interface dmz50
|
|
access-group inside_acl_in in interface inside
|
|
access-group outside_acl_in in interface outside
|
|
|
|
!
|
|
! Rule 0 (NAT)
|
|
global (outside) 1 interface
|
|
access-list id3F8F9592.0 permit ip 10.3.14.0 255.255.255.0 any
|
|
nat (inside) 1 access-list id3F8F9592.0 0 0
|
|
global (dmz50) 1 interface
|
|
!
|
|
!
|
|
! Rule 1 (NAT)
|
|
access-list id3F8F95A0.0 permit tcp host 10.3.14.30 eq 80 any
|
|
static (inside,outside) tcp interface 80 access-list id3F8F95A0.0 0 0
|
|
|
|
|
|
|
|
!
|
|
! Epilog script:
|
|
!
|
|
|
|
! End of epilog script:
|
|
!
|