mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 10:17:16 +01:00
60d0c4e308
import of "ssh", "telnet" and "icmp" PIX/ASA commands. These commands are imported as regular rules in the main Policy ruleset.
241 lines
9.9 KiB
Plaintext
Executable File
241 lines
9.9 KiB
Plaintext
Executable File
: Saved
|
|
:
|
|
PIX Version 6.3(5)
|
|
interface ethernet0 auto
|
|
interface ethernet1 100baseTX
|
|
nameif ethernet0 outside security0
|
|
nameif ethernet1 inside security100
|
|
enable password XXXXXXXXXXXXXXXX encrypted
|
|
passwd YYYYYYYYYYYYYYYY encrypted
|
|
hostname guardian
|
|
domain-name some-domain.org
|
|
clock timezone PDT -7
|
|
clock summer-time PDT recurring
|
|
fixup protocol ctiqbe 2748
|
|
fixup protocol dns maximum-length 65535
|
|
fixup protocol ftp 21
|
|
fixup protocol h323 h225 1720
|
|
fixup protocol h323 ras 1718-1719
|
|
fixup protocol http 80
|
|
fixup protocol icmp error
|
|
fixup protocol ils 389
|
|
fixup protocol mgcp 2427
|
|
fixup protocol mgcp 2727
|
|
fixup protocol pptp 1723
|
|
fixup protocol rsh 514
|
|
fixup protocol rtsp 554
|
|
fixup protocol sip 5060
|
|
fixup protocol sip udp 5060
|
|
fixup protocol skinny 2000
|
|
no fixup protocol smtp 25
|
|
fixup protocol sqlnet 1521
|
|
fixup protocol tftp 69
|
|
names
|
|
object-group icmp-type inside.id12349X2458.srv.icmp.0
|
|
icmp-object time-exceeded
|
|
icmp-object echo-reply
|
|
icmp-object unreachable
|
|
object-group icmp-type outside.id12363X2458.srv.icmp.0
|
|
icmp-object echo
|
|
icmp-object time-exceeded
|
|
icmp-object echo-reply
|
|
icmp-object unreachable
|
|
object-group service outside.id12376X2458.srv.udp.0 udp
|
|
port-object eq bootpc
|
|
port-object eq bootps
|
|
object-group service outside.id12438X2458.srv.tcp.0 tcp
|
|
port-object eq ssh
|
|
port-object eq www
|
|
object-group service outside.id12466X2458.srv.tcp.0 tcp
|
|
port-object eq 8765
|
|
port-object eq ssh
|
|
access-list outside_acl_in remark 0 (ethernet0)
|
|
access-list outside_acl_in deny ip host 10.1.1.202 any log 5
|
|
access-list outside_acl_in deny ip 10.1.1.0 255.255.255.0 any log 5
|
|
access-list outside_acl_in remark 3 (global)
|
|
access-list outside_acl_in permit icmp any interface outside echo
|
|
! access-list outside_acl_in permit icmp any interface outside object-group outside.id12363X2458.srv.icmp.0
|
|
access-list outside_acl_in remark 4 (global)
|
|
access-list outside_acl_in remark fw uses DHCP
|
|
access-list outside_acl_in remark plus many DHCP requests
|
|
access-list outside_acl_in remark from cable modem
|
|
! access-list outside_acl_in permit udp any interface outside object-group outside.id12376X2458.srv.udp.0
|
|
! access-list outside_acl_in permit udp any host 255.255.255.255 object-group outside.id12376X2458.srv.udp.0
|
|
access-list outside_acl_in remark 6 (global)
|
|
access-list outside_acl_in deny tcp any interface outside eq ident
|
|
access-list outside_acl_in remark 7 (global)
|
|
access-list outside_acl_in permit tcp any host 10.1.1.10 eq smtp
|
|
access-list outside_acl_in remark 10 (global)
|
|
access-list outside_acl_in remark using swatch to automatically
|
|
access-list outside_acl_in remark block probing ssh connections, so no
|
|
access-list outside_acl_in remark need to limit
|
|
access-list outside_acl_in permit tcp any interface outside eq ssh
|
|
access-list outside_acl_in permit tcp any interface outside eq www
|
|
! access-list outside_acl_in permit tcp any host 10.1.1.43 object-group outside.id12438X2458.srv.tcp.0
|
|
access-list outside_acl_in remark 11 (global)
|
|
access-list outside_acl_in permit tcp any interface outside eq 8765
|
|
access-list outside_acl_in permit tcp any interface outside eq 2222
|
|
! access-list outside_acl_in permit tcp any host 10.1.1.46 object-group outside.id12466X2458.srv.tcp.0
|
|
access-list outside_acl_in remark 17 (global)
|
|
access-list outside_acl_in permit icmp any interface outside
|
|
access-list outside_acl_in permit icmp any any
|
|
access-list outside_acl_in remark 19 (global)
|
|
access-list outside_acl_in remark 'catch all' rule
|
|
access-list outside_acl_in deny ip any any log 5
|
|
access-list inside_acl_in remark 1 (global)
|
|
access-list inside_acl_in permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.202 eq www
|
|
access-list inside_acl_in permit udp 10.1.1.0 255.255.255.0 host 10.1.1.202 eq snmp
|
|
! access-list inside_acl_in remark 2 (global)
|
|
! access-list inside_acl_in permit icmp host 10.1.1.202 host 10.1.1.202 object-group inside.id12349X2458.srv.icmp.0
|
|
! access-list inside_acl_in permit icmp host 10.1.1.202 any object-group inside.id12349X2458.srv.icmp.0
|
|
! access-list inside_acl_in remark 3 (global)
|
|
! access-list inside_acl_in permit icmp any host 10.1.1.202 object-group outside.id12363X2458.srv.icmp.0
|
|
access-list inside_acl_in remark 5 (global)
|
|
access-list inside_acl_in permit ip host 10.1.1.202 any
|
|
access-list inside_acl_in remark 6 (global)
|
|
access-list inside_acl_in deny tcp any host 10.1.1.202 eq ident
|
|
access-list inside_acl_in remark 7 (global)
|
|
access-list inside_acl_in permit tcp any host 10.1.1.10 eq smtp
|
|
! access-list inside_acl_in remark 10 (global)
|
|
! access-list inside_acl_in remark using swatch to automatically
|
|
! access-list inside_acl_in remark block probing ssh connections, so no
|
|
! access-list inside_acl_in remark need to limit
|
|
! access-list inside_acl_in permit tcp any host 10.1.1.43 object-group outside.id12438X2458.srv.tcp.0
|
|
! access-list inside_acl_in remark 11 (global)
|
|
! access-list inside_acl_in permit tcp any host 10.1.1.46 object-group outside.id12466X2458.srv.tcp.0
|
|
access-list inside_acl_in remark 17 (global)
|
|
access-list inside_acl_in permit icmp any host 10.1.1.202
|
|
access-list inside_acl_in permit icmp any any
|
|
access-list inside_acl_in remark 18 (global)
|
|
access-list inside_acl_in permit ip 10.1.1.0 255.255.255.0 any
|
|
access-list inside_acl_in remark 19 (global)
|
|
access-list inside_acl_in remark 'catch all' rule
|
|
access-list inside_acl_in deny ip any any log 5
|
|
access-list id12594X2458.0 permit tcp host 10.1.1.43 eq www any
|
|
access-list id12594X2458.1 permit tcp host 127.0.0.1 eq www any
|
|
access-list id12594X2458.2 permit tcp host 10.1.1.43 eq ssh any
|
|
access-list id12594X2458.3 permit tcp host 127.0.0.1 eq ssh any
|
|
access-list id12626X2458.0 permit tcp host 10.1.1.42 eq smtp any
|
|
access-list id12626X2458.1 permit tcp host 10.1.1.42 eq 993 any
|
|
access-list id12626X2458.2 permit tcp host 10.1.1.42 eq 587 any
|
|
access-list id12642X2458.0 permit tcp host 10.1.1.46 eq ssh any
|
|
access-list id12656X2458.0 permit tcp host 10.1.1.46 eq 8765 any
|
|
access-list id12670X2458.0 permit tcp host 10.1.1.32 eq 5900 any
|
|
access-list id12684X2458.0 permit tcp host 10.1.1.102 eq 5901 any
|
|
access-list id12743X2458.0 permit ip 10.1.1.0 255.255.255.0 any
|
|
|
|
access-group outside_acl_in in interface outside
|
|
access-group inside_acl_in in interface inside
|
|
|
|
no pager
|
|
logging on
|
|
logging timestamp
|
|
logging buffered informational
|
|
logging trap notifications
|
|
logging facility 16
|
|
logging queue 10
|
|
logging device-id ipaddress inside
|
|
logging host inside 10.1.1.10
|
|
logging host inside 10.1.1.40 format emblem
|
|
icmp permit any echo outside
|
|
icmp permit any 111 outside
|
|
icmp permit any time-exceeded outside
|
|
icmp permit any echo-reply outside
|
|
icmp permit any unreachable outside
|
|
icmp permit any outside
|
|
icmp permit host 10.1.1.202 time-exceeded inside
|
|
icmp permit host 10.1.1.202 echo-reply inside
|
|
icmp permit host 10.1.1.202 unreachable inside
|
|
icmp permit any echo inside
|
|
icmp permit any time-exceeded inside
|
|
icmp permit any echo-reply inside
|
|
icmp permit any unreachable inside
|
|
icmp permit any inside
|
|
icmp permit 10.1.1.0 255.255.255.0 inside
|
|
|
|
telnet 10.1.1.0 255.255.255.0 inside
|
|
telnet timeout 5
|
|
ssh 10.1.1.30 255.255.255.255 inside
|
|
ssh 10.1.1.0 255.255.255.0 inside
|
|
ssh timeout 5
|
|
|
|
mtu outside 1500
|
|
mtu inside 1500
|
|
ip address outside dhcp setroute retry 10
|
|
ip address inside 10.1.1.202 255.255.255.0
|
|
ip audit info action alarm
|
|
ip audit attack action alarm
|
|
pdm history enable
|
|
arp timeout 14400
|
|
global (outside) 1 interface
|
|
nat (inside) 1 access-list id12743X2458.0 0 0
|
|
static (inside,outside) tcp interface www access-list id12594X2458.0 0 0
|
|
static (inside,outside) tcp interface ssh access-list id12594X2458.2 0 0
|
|
static (inside,outside) tcp interface smtp access-list id12626X2458.0 0 0
|
|
static (inside,outside) tcp interface 993 access-list id12626X2458.1 0 0
|
|
static (inside,outside) tcp interface 587 access-list id12626X2458.2 0 0
|
|
static (inside,outside) tcp interface 2222 access-list id12642X2458.0 0 0
|
|
static (inside,outside) tcp interface 8765 access-list id12656X2458.0 0 0
|
|
static (inside,outside) tcp interface 5900 access-list id12670X2458.0 0 0
|
|
static (inside,outside) tcp interface 5901 access-list id12684X2458.0 0 0
|
|
|
|
! access-group outside_acl_in in interface outside
|
|
! access-group inside_acl_in in interface inside
|
|
|
|
timeout xlate 3:00:00
|
|
timeout conn 1:00:00 half-closed 0:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
|
|
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
|
|
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
|
|
timeout uauth 2:00:00 absolute
|
|
aaa-server TACACS+ protocol tacacs+
|
|
aaa-server TACACS+ max-failed-attempts 3
|
|
aaa-server TACACS+ deadtime 10
|
|
aaa-server RADIUS protocol radius
|
|
aaa-server RADIUS max-failed-attempts 3
|
|
aaa-server RADIUS deadtime 10
|
|
aaa-server LOCAL protocol local
|
|
aaa authentication ssh console LOCAL
|
|
aaa authentication telnet console LOCAL
|
|
aaa authorization command LOCAL
|
|
ntp server 10.1.1.10 source inside prefer
|
|
http server enable
|
|
http 10.1.1.40 255.255.255.255 inside
|
|
http 10.1.1.0 255.255.255.0 inside
|
|
snmp-server host inside 10.1.1.30
|
|
snmp-server host inside 10.1.1.41
|
|
snmp-server host inside 10.1.1.42
|
|
no snmp-server location
|
|
no snmp-server contact
|
|
snmp-server community public
|
|
no snmp-server enable traps
|
|
floodguard enable
|
|
sysopt connection permit-ipsec
|
|
service resetinbound
|
|
service resetoutside
|
|
crypto ipsec transform-set tripledes esp-3des esp-md5-hmac
|
|
crypto map real 10 ipsec-isakmp
|
|
crypto map real 10 set peer 192.168.171.2
|
|
crypto map real 10 set transform-set tripledes
|
|
! Incomplete
|
|
crypto map real interface outside
|
|
crypto map real interface inside
|
|
isakmp enable outside
|
|
isakmp key ******** address 192.168.171.2 netmask 255.255.255.255
|
|
isakmp identity address
|
|
isakmp policy 1 authentication pre-share
|
|
isakmp policy 1 encryption 3des
|
|
isakmp policy 1 hash md5
|
|
isakmp policy 1 group 2
|
|
isakmp policy 1 lifetime 86400
|
|
isakmp policy 10 authentication pre-share
|
|
isakmp policy 10 encryption 3des
|
|
isakmp policy 10 hash sha
|
|
isakmp policy 10 group 2
|
|
isakmp policy 10 lifetime 86400
|
|
console timeout 0
|
|
username foo password AAAAAAAAAAAAAAAA encrypted privilege 15
|
|
terminal width 256
|
|
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
: end
|
|
|