mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 01:37:17 +01:00
59f40e5d71
move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script.
172 lines
4.8 KiB
Plaintext
Executable File
172 lines
4.8 KiB
Plaintext
Executable File
!
|
|
! This is automatically generated file. DO NOT MODIFY !
|
|
!
|
|
! Firewall Builder fwb_pix v4.2.0.3526
|
|
!
|
|
! Generated Thu Apr 14 12:07:20 2011 PDT by vadim
|
|
!
|
|
! Compiled for pix 8.3
|
|
! Outbound ACLs: supported
|
|
! Emulate outbound ACLs: yes
|
|
! Generating outbound ACLs: no
|
|
! Assume firewall is part of any: yes
|
|
!
|
|
!# files: * firewall81.fw
|
|
!
|
|
! test for the warning issued when translated address is used in
|
|
! policy rule
|
|
|
|
! C firewall81:Policy:1: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules.
|
|
! C firewall81:Policy:2: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules.
|
|
! C firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules.
|
|
|
|
!
|
|
! Prolog script:
|
|
!
|
|
|
|
!
|
|
! End of prolog script:
|
|
!
|
|
|
|
|
|
|
|
|
|
interface FastEthernet0
|
|
nameif inside
|
|
security-level 100
|
|
exit
|
|
|
|
interface FastEthernet1
|
|
nameif outside
|
|
security-level 0
|
|
exit
|
|
|
|
|
|
no logging buffered
|
|
no logging console
|
|
no logging timestamp
|
|
no logging on
|
|
|
|
|
|
timeout xlate 3:0:0
|
|
timeout conn 1:0:0
|
|
timeout udp 0:2:0
|
|
timeout sunrpc 0:10:0
|
|
timeout h323 0:5:0
|
|
timeout sip 0:30:0
|
|
timeout sip_media 0:0:0
|
|
timeout half-closed 0:0:0
|
|
timeout uauth 2:0:0 absolute
|
|
|
|
|
|
clear config ssh
|
|
aaa authentication ssh console LOCAL
|
|
|
|
clear config snmp-server
|
|
no snmp-server enable traps
|
|
|
|
clear config ntp
|
|
|
|
|
|
no service resetinbound
|
|
no service resetoutside
|
|
no sysopt connection timewait
|
|
no sysopt nodnsalias inbound
|
|
no sysopt nodnsalias outbound
|
|
|
|
|
|
class-map inspection_default
|
|
match default-inspection-traffic
|
|
|
|
policy-map global_policy
|
|
class inspection_default
|
|
|
|
service-policy global_policy global
|
|
|
|
policy-map type inspect ip-options ip-options-map
|
|
parameters
|
|
eool action allow
|
|
router-alert action clear
|
|
|
|
|
|
!################
|
|
clear xlate
|
|
clear config nat
|
|
clear config access-list
|
|
clear config icmp
|
|
clear config telnet
|
|
clear config object
|
|
|
|
|
|
object service http.0
|
|
service tcp destination eq 80
|
|
exit
|
|
|
|
object network hostA:eth0.0
|
|
host 192.168.1.10
|
|
exit
|
|
|
|
!
|
|
! Rule 0 (global)
|
|
! matching "any" icmp and "all" tcp
|
|
! in one service-group
|
|
!
|
|
access-list inside_acl_in deny icmp any object hostA:eth0.0
|
|
access-list outside_acl_in deny icmp any object hostA:eth0.0
|
|
access-list inside_acl_in deny tcp any object hostA:eth0.0
|
|
access-list outside_acl_in deny tcp any object hostA:eth0.0
|
|
!
|
|
! Rule 1 (FastEthernet1)
|
|
! test rule using translated address in dst
|
|
! firewall81:Policy:1: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules.
|
|
|
|
access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
|
|
!
|
|
! Rule 2 (global)
|
|
! test rule using translated address in dst
|
|
! firewall81:Policy:2: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules.
|
|
|
|
access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
|
|
!
|
|
! Rule 3 (global)
|
|
! test rule using translated address in dst
|
|
! firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules.
|
|
|
|
http 0.0.0.0 0.0.0.0 inside
|
|
http 0.0.0.0 0.0.0.0 outside
|
|
!
|
|
! Rule 4 (global)
|
|
! for #1942
|
|
! using custom service
|
|
access-list inside_acl_in deny tcp any object hostA:eth0.0 neq 8080
|
|
access-list outside_acl_in deny tcp any object hostA:eth0.0 neq 8080
|
|
!
|
|
! Rule 5 (global)
|
|
! for #1942
|
|
! using custom service
|
|
access-list inside_acl_in deny tcp any object hostA:eth0.0 neq 8080
|
|
access-list outside_acl_in deny tcp any object hostA:eth0.0 neq 8080
|
|
access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128
|
|
access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128
|
|
!
|
|
! Rule 6 (global)
|
|
access-list inside_acl_in deny ip any any
|
|
access-list outside_acl_in deny ip any any
|
|
|
|
|
|
access-group inside_acl_in in interface inside
|
|
access-group outside_acl_in in interface outside
|
|
|
|
!
|
|
! Rule 0 (NAT)
|
|
nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"
|
|
|
|
|
|
|
|
!
|
|
! Epilog script:
|
|
!
|
|
|
|
! End of epilog script:
|
|
!
|