mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-21 10:47:16 +01:00
386 lines
11 KiB
Plaintext
Executable File
386 lines
11 KiB
Plaintext
Executable File
!
|
|
! This is automatically generated file. DO NOT MODIFY !
|
|
!
|
|
! Firewall Builder fwb_pix v4.2.0.3526
|
|
!
|
|
! Generated Thu Apr 14 18:58:22 2011 PDT by vadim
|
|
!
|
|
! Compiled for pix 8.3
|
|
! Outbound ACLs: supported
|
|
! Emulate outbound ACLs: yes
|
|
! Generating outbound ACLs: no
|
|
! Assume firewall is part of any: yes
|
|
!
|
|
!# files: * firewall90.fw
|
|
!
|
|
! testing new style ASA 8.3 nat commands
|
|
! SNAT rules
|
|
|
|
! N firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with destination matching or translation
|
|
! N firewall90:NAT:14: error: Option 'translate dns' can not be used in combination with service matching or translation
|
|
! N firewall90:NAT:19: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
|
|
! N firewall90:NAT:24: error: CustomService objects are not supported in NAT rules
|
|
|
|
!
|
|
! Prolog script:
|
|
!
|
|
|
|
!
|
|
! End of prolog script:
|
|
!
|
|
|
|
|
|
|
|
|
|
interface FastEthernet0
|
|
nameif inside
|
|
security-level 100
|
|
exit
|
|
|
|
interface FastEthernet1
|
|
nameif outside
|
|
security-level 0
|
|
exit
|
|
|
|
|
|
no logging buffered
|
|
no logging console
|
|
no logging timestamp
|
|
no logging on
|
|
|
|
|
|
timeout xlate 3:0:0
|
|
timeout conn 1:0:0
|
|
timeout udp 0:2:0
|
|
timeout sunrpc 0:10:0
|
|
timeout h323 0:5:0
|
|
timeout sip 0:30:0
|
|
timeout sip_media 0:0:0
|
|
timeout half-closed 0:0:0
|
|
timeout uauth 2:0:0 absolute
|
|
|
|
|
|
clear config ssh
|
|
aaa authentication ssh console LOCAL
|
|
|
|
clear config snmp-server
|
|
no snmp-server enable traps
|
|
|
|
clear config ntp
|
|
|
|
|
|
no service resetinbound
|
|
no service resetoutside
|
|
no sysopt connection timewait
|
|
no sysopt nodnsalias inbound
|
|
no sysopt nodnsalias outbound
|
|
|
|
|
|
class-map inspection_default
|
|
match default-inspection-traffic
|
|
|
|
policy-map global_policy
|
|
class inspection_default
|
|
|
|
service-policy global_policy global
|
|
|
|
policy-map type inspect ip-options ip-options-map
|
|
parameters
|
|
eool action allow
|
|
router-alert action clear
|
|
|
|
|
|
!################
|
|
clear xlate
|
|
clear config nat
|
|
clear config access-list
|
|
clear config icmp
|
|
clear config telnet
|
|
clear config object-group
|
|
clear config object
|
|
|
|
|
|
object service http.0
|
|
service tcp destination eq 80
|
|
exit
|
|
|
|
object service smtp.0
|
|
service tcp destination eq 25
|
|
exit
|
|
|
|
object service smtps.0
|
|
service tcp destination eq 465
|
|
exit
|
|
|
|
object service squid.0
|
|
service tcp destination eq 3128
|
|
exit
|
|
|
|
object network spamhost1.0
|
|
host 61.150.47.112
|
|
exit
|
|
|
|
object network external_gw_1.0
|
|
host 22.22.22.254
|
|
exit
|
|
|
|
object network external_gw2.0
|
|
host 22.22.22.100
|
|
exit
|
|
|
|
object network spamhost2.0
|
|
host 61.150.47.113
|
|
exit
|
|
|
|
object network hostA:eth0.0
|
|
host 192.168.1.10
|
|
exit
|
|
|
|
object network Internal_net.0
|
|
subnet 192.168.1.0 255.255.255.0
|
|
exit
|
|
|
|
object network internal_subnet_1.0
|
|
subnet 192.168.1.0 255.255.255.192
|
|
exit
|
|
|
|
object network internal_subnet_2.0
|
|
subnet 192.168.1.64 255.255.255.192
|
|
exit
|
|
|
|
object network ext_subnet.0
|
|
subnet 22.22.22.128 255.255.255.224
|
|
exit
|
|
|
|
object network ext_subnet-192.0
|
|
subnet 22.22.22.128 255.255.255.192
|
|
exit
|
|
|
|
object network test_range_1.0
|
|
range 192.168.1.11 192.168.1.15
|
|
exit
|
|
|
|
object network outside_range.0
|
|
range 22.22.22.21 22.22.22.25
|
|
exit
|
|
|
|
object network outside_range-1.0
|
|
range 22.22.22.30 22.22.22.40
|
|
exit
|
|
|
|
object network firewall90:FastEthernet1:ip.0
|
|
host 22.22.22.22
|
|
exit
|
|
|
|
object network firewall90:FastEthernet1:ip-1.0
|
|
host 22.22.22.23
|
|
exit
|
|
|
|
object-group network id178211X29963.osrc.net.0
|
|
network-object object internal_subnet_1.0
|
|
network-object object internal_subnet_2.0
|
|
exit
|
|
|
|
object-group network id21353X4994.osrc.net.0
|
|
network-object object Internal_net.0
|
|
network-object object internal_subnet_1.0
|
|
network-object object internal_subnet_2.0
|
|
exit
|
|
|
|
object-group network id130599X29063.tsrc.net.0
|
|
network-object object outside_range.0
|
|
network-object object firewall90:FastEthernet1:ip.0
|
|
network-object object external_gw2.0
|
|
exit
|
|
|
|
object-group network id20720X27505.tsrc.net.0
|
|
network-object object outside_range.0
|
|
network-object object external_gw2.0
|
|
exit
|
|
|
|
object-group network id241772X29764.tsrc.net.0
|
|
network-object object outside_range.0
|
|
exit
|
|
|
|
object-group network id643092X27990.tsrc.net.0
|
|
network-object object ext_subnet.0
|
|
exit
|
|
|
|
object-group network id21121X3710.tsrc.net.0
|
|
network-object object outside_range-1.0
|
|
network-object object external_gw2.0
|
|
exit
|
|
|
|
object-group network id21177X3720.tsrc.net.0
|
|
network-object object ext_subnet.0
|
|
exit
|
|
|
|
object-group network id77971X5929.odst.net.0
|
|
network-object object spamhost1.0
|
|
network-object object spamhost2.0
|
|
exit
|
|
|
|
object-group network id77971X5929.tsrc.net.0
|
|
network-object object outside_range-1.0
|
|
network-object object external_gw2.0
|
|
exit
|
|
|
|
object-group network id77971X5929.tsrc.net.1
|
|
network-object object outside_range-1.0
|
|
network-object object external_gw2.0
|
|
exit
|
|
|
|
object-group network id78630X30274.src.net.0
|
|
network-object 10.1.2.0 255.255.255.0
|
|
network-object 10.1.3.0 255.255.255.0
|
|
exit
|
|
|
|
!
|
|
! Rule 0 (global)
|
|
access-list outside_acl_in deny ip object-group id78630X30274.src.net.0 any
|
|
!
|
|
! Rule 1 (global)
|
|
! for #1942
|
|
! using custom service
|
|
access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
|
|
access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
|
|
!
|
|
! Rule 2 (global)
|
|
! for #1942
|
|
! using custom service
|
|
access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
|
|
access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
|
|
access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128
|
|
access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128
|
|
!
|
|
! Rule 3 (global)
|
|
access-list inside_acl_in deny ip any any
|
|
access-list outside_acl_in deny ip any any
|
|
|
|
|
|
access-group inside_acl_in in interface inside
|
|
access-group outside_acl_in in interface outside
|
|
|
|
!
|
|
! Rule 0 (NAT)
|
|
nat (inside,outside) source dynamic Internal_net.0 interface service http.0 http.0 description "0 (NAT)"
|
|
!
|
|
! Rule 1 (NAT)
|
|
nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "1 (NAT)"
|
|
!
|
|
! Rule 2 (NAT)
|
|
nat (inside,outside) source static hostA:eth0.0 interface service smtp.0 smtp.0 description "2 (NAT)"
|
|
!
|
|
! Rule 3 (NAT)
|
|
nat (inside,outside) source dynamic id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 description "3 (NAT)"
|
|
!
|
|
! Rule 4 (NAT)
|
|
! for #1928
|
|
! note that group in OSrc includes another group
|
|
nat (inside,outside) source dynamic id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 description "4 (NAT)"
|
|
!
|
|
! Rule 5 (NAT)
|
|
nat (inside,outside) source dynamic test_range_1.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 service smtp.0 smtp.0 description "5 (NAT)"
|
|
!
|
|
! Rule 6 (NAT)
|
|
nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 external_gw_1.0 service smtp.0 smtp.0 description "6 (NAT)"
|
|
!
|
|
! Rule 7 (NAT)
|
|
! For #1907
|
|
nat (inside,outside) source dynamic hostA:eth0.0 id130599X29063.tsrc.net.0 service smtp.0 smtp.0 description "7 (NAT)"
|
|
!
|
|
! Rule 8 (NAT)
|
|
! For #1907
|
|
nat (inside,outside) source dynamic hostA:eth0.0 id20720X27505.tsrc.net.0 interface service smtp.0 smtp.0 description "8 (NAT)"
|
|
!
|
|
! Rule 9 (NAT)
|
|
! For #1907
|
|
nat (inside,outside) source dynamic hostA:eth0.0 id241772X29764.tsrc.net.0 interface service smtp.0 smtp.0 description "9 (NAT)"
|
|
!
|
|
! Rule 10 (NAT)
|
|
! For #1907
|
|
nat (inside,outside) source static hostA:eth0.0 hostA:eth0.0 service smtp.0 smtp.0 description "10 (NAT)"
|
|
!
|
|
! Rule 11 (NAT)
|
|
! For #1907
|
|
nat (inside,outside) source dynamic hostA:eth0.0 id643092X27990.tsrc.net.0 interface service smtp.0 smtp.0 description "11 (NAT)"
|
|
!
|
|
! Rule 12 (NAT)
|
|
! for #1902
|
|
nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 dns description "12 (NAT)"
|
|
!
|
|
! Rule 13 (NAT)
|
|
! for #1902
|
|
! can't use dns with destination matching or translation
|
|
! firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with destination matching or translation
|
|
|
|
nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 dns description "13 (NAT)"
|
|
!
|
|
! Rule 14 (NAT)
|
|
! for #1902
|
|
! cant use dns with service translation either
|
|
! firewall90:NAT:14: error: Option 'translate dns' can not be used in combination with service matching or translation
|
|
|
|
nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 dns description "14 (NAT)"
|
|
!
|
|
! Rule 15 (NAT)
|
|
! for #1908
|
|
! "static" vs "dynamic"
|
|
nat (inside,outside) source static hostA:eth0.0 firewall90:FastEthernet1:ip-1.0 description "15 (NAT)"
|
|
!
|
|
! Rule 16 (NAT)
|
|
! for #1908
|
|
! "static" vs "dynamic"
|
|
nat (inside,outside) source dynamic hostA:eth0.0 outside_range.0 description "16 (NAT)"
|
|
!
|
|
! Rule 17 (NAT)
|
|
! for #1908 "static" vs "dynamic"
|
|
! for #1885 "named object" - create
|
|
! for #1907 "multiple objects in TSrc"
|
|
! network object to define address range, then add it to object-group
|
|
nat (inside,outside) source dynamic hostA:eth0.0 id21121X3710.tsrc.net.0 interface description "17 (NAT)"
|
|
!
|
|
! Rule 18 (NAT)
|
|
! for #1908, #1916 "static" vs "dynamic"
|
|
! for #1907 "multiple objects in TSrc"
|
|
nat (inside,outside) source dynamic hostA:eth0.0 id21177X3720.tsrc.net.0 interface description "18 (NAT)"
|
|
!
|
|
! Rule 19 (NAT)
|
|
! for #1908
|
|
! "static" vs "dynamic"
|
|
! firewall90:NAT:19: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
|
|
|
|
nat (outside,outside) source dynamic outside_range.0 firewall90:FastEthernet1:ip-1.0 description "19 (NAT)"
|
|
!
|
|
! Rule 20 (NAT)
|
|
! for #1908
|
|
! "static" vs "dynamic"
|
|
nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 description "20 (NAT)"
|
|
!
|
|
! Rule 21 (NAT)
|
|
! for #1908
|
|
! "static" vs "dynamic"
|
|
nat (inside,outside) source static internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 description "21 (NAT)"
|
|
!
|
|
! Rule 22 (NAT)
|
|
nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 squid.0 description "22 (NAT)"
|
|
!
|
|
! Rule 23 (NAT)
|
|
! multiple objects in OSrc, ODst, OSrv and TSrc in various combinations
|
|
nat (inside,outside) source dynamic id178211X29963.osrc.net.0 id77971X5929.tsrc.net.0 interface destination static id77971X5929.odst.net.0 id77971X5929.odst.net.0 service smtp.0 smtp.0 description "23 (NAT)"
|
|
nat (inside,outside) source dynamic id178211X29963.osrc.net.0 id77971X5929.tsrc.net.1 interface destination static id77971X5929.odst.net.0 id77971X5929.odst.net.0 service smtps.0 smtps.0 description "23 (NAT)"
|
|
!
|
|
! Rule 25 (NAT)
|
|
! for #1916
|
|
! "static" vs "dynamic" when TSrc is subnet
|
|
nat (inside,outside) source static internal_subnet_1.0 ext_subnet-192.0 description "25 (NAT)"
|
|
|
|
|
|
|
|
!
|
|
! Epilog script:
|
|
!
|
|
|
|
! End of epilog script:
|
|
!
|