mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 17:57:22 +01:00
674 lines
28 KiB
Plaintext
Executable File
674 lines
28 KiB
Plaintext
Executable File
!
|
|
! This is automatically generated file. DO NOT MODIFY !
|
|
!
|
|
! Firewall Builder fwb_pix v4.2.0.3427
|
|
!
|
|
! Generated Tue Jan 11 10:25:58 2011 PST by vadim
|
|
!
|
|
! Compiled for pix 6.2
|
|
! Outbound ACLs: not supported
|
|
! Emulate outbound ACLs: yes
|
|
! Generating outbound ACLs: no
|
|
! Assume firewall is part of any: yes
|
|
!
|
|
!# files: * firewall.fw
|
|
!
|
|
! this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule
|
|
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '2 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '6 (ethernet0)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '13 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '14 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '20 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it
|
|
! C firewall:Policy:0: error: Rule '0 (global)' shadows rule '25 (global)' below it
|
|
! C firewall:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule
|
|
|
|
! N firewall:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier.
|
|
|
|
! R firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
! R firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
! R firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
! R firewall:Routing:7: error: MultiPath routing not supported by platform
|
|
! R firewall:Routing:8: warning: Two of the sub rules created from the gui routing rules 7 (main) and 8 (main) are identical, skipping the second. Revise them to avoid this warning
|
|
|
|
!
|
|
! Prolog script:
|
|
!
|
|
|
|
!
|
|
! End of prolog script:
|
|
!
|
|
|
|
|
|
|
|
|
|
hostname firewall
|
|
|
|
nameif ethernet1 outside security0
|
|
|
|
nameif ethernet0 inside security100
|
|
|
|
nameif ethernet2 dmz security50
|
|
|
|
|
|
|
|
logging host inside 192.168.1.30
|
|
logging queue 512
|
|
logging facility 16
|
|
logging trap 1
|
|
no logging buffered
|
|
no logging console
|
|
no logging timestamp
|
|
logging on
|
|
|
|
|
|
timeout xlate 3:0:0
|
|
timeout conn 1:0:0
|
|
timeout udp 0:2:0
|
|
timeout rpc 0:10:0
|
|
timeout h323 0:5:0
|
|
timeout sip 0:30:0
|
|
timeout sip_media 0:0:0
|
|
timeout half-closed 0:0:0
|
|
timeout uauth 2:0:0 absolute
|
|
|
|
telnet timeout 5
|
|
|
|
clear ssh
|
|
aaa authentication ssh console LOCAL
|
|
ssh timeout 5
|
|
|
|
clear snmp-server
|
|
snmp-server community public
|
|
snmp-server enable traps
|
|
snmp-server host inside 192.168.1.20 poll
|
|
snmp-server host inside 192.168.1.22 trap
|
|
|
|
clear ntp
|
|
ntp server 192.168.1.20 source inside prefer
|
|
|
|
|
|
no service resetinbound
|
|
no service resetoutside
|
|
sysopt connection tcpmss 1380
|
|
sysopt connection timewait
|
|
sysopt security fragguard
|
|
sysopt nodnsalias inbound
|
|
sysopt nodnsalias outbound
|
|
no sysopt route dnat
|
|
floodguard disable
|
|
|
|
|
|
fixup protocol ftp 21
|
|
fixup protocol http 80
|
|
fixup protocol h323 h225 1720
|
|
fixup protocol h323 ras 1718-1719
|
|
fixup protocol ils 389
|
|
fixup protocol rsh 514
|
|
fixup protocol rtsp 554
|
|
fixup protocol sip 5060
|
|
fixup protocol skinny 2000
|
|
fixup protocol smtp 25
|
|
fixup protocol sqlnet 1521
|
|
|
|
|
|
!################
|
|
|
|
clear access-list tmp_acl
|
|
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
|
|
access-list tmp_acl deny ip any any
|
|
|
|
access-group tmp_acl in interface outside
|
|
access-group tmp_acl in interface inside
|
|
|
|
clear access-list dmz_acl_in
|
|
clear access-list inside_acl_in
|
|
clear access-list outside_acl_in
|
|
clear object-group
|
|
|
|
clear icmp
|
|
clear telnet
|
|
|
|
object-group network inside.id3C4E4C38.dst.net.0
|
|
network-object host 211.11.11.11
|
|
network-object host 211.22.22.22
|
|
exit
|
|
|
|
|
|
object-group service inside.id3C4E4C38.srv.tcp.0 tcp
|
|
port-object eq 113
|
|
port-object eq 80
|
|
port-object eq 25
|
|
port-object eq 22
|
|
port-object eq 540
|
|
port-object eq 443
|
|
port-object eq 143
|
|
exit
|
|
|
|
|
|
object-group icmp-type outside.id3D8FCE32.srv.icmp.0
|
|
icmp-object 11
|
|
icmp-object 0
|
|
icmp-object 3
|
|
exit
|
|
|
|
|
|
object-group service outside.pol-firewall2-2.srv.tcp.0 tcp
|
|
port-object eq 3128
|
|
port-object eq 70
|
|
port-object eq 6667
|
|
port-object eq 23
|
|
exit
|
|
|
|
|
|
object-group service outside.pol-firewall2-2.srv.udp.0 udp
|
|
port-object eq 161
|
|
port-object eq 53
|
|
exit
|
|
|
|
|
|
object-group network outside.pol-firewall2-3.dst.net.0
|
|
network-object host 192.168.1.10
|
|
network-object host 192.168.1.20
|
|
exit
|
|
|
|
|
|
object-group network inside.id3E155E82.dst.net.0
|
|
network-object 192.168.1.250 255.255.255.254
|
|
network-object 192.168.1.252 255.255.255.252
|
|
exit
|
|
|
|
|
|
object-group network outside.id3D0F8031.dst.net.0
|
|
network-object 192.168.1.250 255.255.255.254
|
|
network-object 192.168.1.252 255.255.255.252
|
|
exit
|
|
|
|
|
|
object-group network outside.id3CD87B1E.dst.net.0
|
|
network-object host 192.168.1.11
|
|
network-object host 192.168.1.12
|
|
network-object host 192.168.1.13
|
|
network-object host 192.168.1.14
|
|
network-object host 192.168.1.15
|
|
exit
|
|
|
|
|
|
object-group service outside.id3CD87B1E.srv.tcp.0 tcp
|
|
port-object eq 113
|
|
port-object eq 80
|
|
port-object eq 25
|
|
port-object eq 22
|
|
port-object eq 540
|
|
port-object eq 443
|
|
port-object eq 143
|
|
port-object eq 3128
|
|
exit
|
|
|
|
|
|
object-group network outside.id3CD8770E.dst.net.0
|
|
network-object 192.168.1.11 255.255.255.255
|
|
network-object 192.168.1.12 255.255.255.252
|
|
exit
|
|
|
|
|
|
object-group service outside.pol-firewall2-4.srv.tcp.0 tcp
|
|
port-object eq 3128
|
|
port-object range 10000 11000
|
|
port-object eq 6667
|
|
port-object eq 113
|
|
port-object eq 53
|
|
port-object eq 21
|
|
port-object eq 80
|
|
port-object eq 119
|
|
port-object eq 25
|
|
port-object eq 22
|
|
port-object eq 23
|
|
port-object eq 540
|
|
port-object eq 70
|
|
port-object eq 13
|
|
port-object eq 2105
|
|
port-object eq 443
|
|
port-object eq 143
|
|
port-object eq 993
|
|
port-object eq 6667
|
|
port-object eq 543
|
|
port-object eq 544
|
|
port-object eq 389
|
|
port-object eq 98
|
|
port-object eq 3306
|
|
port-object eq 2049
|
|
port-object eq 110
|
|
port-object eq 5432
|
|
port-object eq 515
|
|
port-object eq 26000
|
|
port-object eq 512
|
|
port-object eq 513
|
|
port-object eq 514
|
|
port-object eq 4321
|
|
port-object eq 465
|
|
port-object eq 1080
|
|
port-object eq 111
|
|
port-object eq 7100
|
|
exit
|
|
|
|
!
|
|
! Rule -1 backup ssh access rule (automatic)
|
|
ssh 192.168.1.100 255.255.255.255 inside
|
|
!
|
|
! Rule 0 (global)
|
|
access-list outside_acl_in deny ip any any
|
|
access-list inside_acl_in deny ip any any
|
|
access-list dmz_acl_in deny ip any any
|
|
!
|
|
! Rule 2 (ethernet1)
|
|
! комментарий по-русски
|
|
icmp permit any 3 outside
|
|
access-list outside_acl_in permit icmp any host 22.22.22.22 3
|
|
access-list outside_acl_in permit icmp any any 3
|
|
!
|
|
! Rule 3 (ethernet1)
|
|
! anti-spoofing rule
|
|
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
|
|
!
|
|
! Rule 4 (ethernet0)
|
|
ssh 192.168.1.0 255.255.255.0 inside
|
|
!
|
|
! Rule 5 (ethernet0)
|
|
access-list inside_acl_in permit tcp any object-group inside.id3C4E4C38.dst.net.0 object-group inside.id3C4E4C38.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any object-group inside.id3C4E4C38.dst.net.0 object-group inside.id3C4E4C38.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any object-group inside.id3C4E4C38.dst.net.0 object-group inside.id3C4E4C38.srv.tcp.0
|
|
!
|
|
! Rule 6 (ethernet0)
|
|
access-list inside_acl_in deny ip any host 192.168.1.255
|
|
!
|
|
! Rule 8 (global)
|
|
access-list outside_acl_in permit icmp any host 192.168.1.10 object-group outside.id3D8FCE32.srv.icmp.0
|
|
access-list inside_acl_in permit icmp any host 192.168.1.10 object-group outside.id3D8FCE32.srv.icmp.0
|
|
access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group outside.id3D8FCE32.srv.icmp.0
|
|
!
|
|
! Rule 9 (global)
|
|
access-list outside_acl_in permit icmp any host 192.168.1.10
|
|
access-list inside_acl_in permit icmp any host 192.168.1.10
|
|
access-list dmz_acl_in permit icmp any host 192.168.1.10
|
|
access-list outside_acl_in permit tcp any host 192.168.1.10 object-group outside.pol-firewall2-2.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any host 192.168.1.10 object-group outside.pol-firewall2-2.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group outside.pol-firewall2-2.srv.tcp.0
|
|
access-list outside_acl_in permit udp any host 192.168.1.10 object-group outside.pol-firewall2-2.srv.udp.0
|
|
access-list inside_acl_in permit udp any host 192.168.1.10 object-group outside.pol-firewall2-2.srv.udp.0
|
|
access-list dmz_acl_in permit udp any host 192.168.1.10 object-group outside.pol-firewall2-2.srv.udp.0
|
|
access-list outside_acl_in permit 47 any host 192.168.1.10
|
|
access-list inside_acl_in permit 47 any host 192.168.1.10
|
|
access-list dmz_acl_in permit 47 any host 192.168.1.10
|
|
!
|
|
! Rule 10 (global)
|
|
access-list outside_acl_in permit icmp any host 22.22.22.22 3
|
|
icmp permit any 3 inside
|
|
access-list inside_acl_in permit icmp any host 192.168.1.1 3
|
|
icmp permit any 3 dmz
|
|
access-list dmz_acl_in permit icmp any host 192.168.2.1 3
|
|
access-list outside_acl_in permit icmp any any 3
|
|
access-list inside_acl_in permit icmp any any 3
|
|
access-list dmz_acl_in permit icmp any any 3
|
|
access-list outside_acl_in permit 47 any any
|
|
access-list inside_acl_in permit 47 any any
|
|
access-list dmz_acl_in permit 47 any any
|
|
access-list outside_acl_in permit 50 any any
|
|
access-list inside_acl_in permit 50 any any
|
|
access-list dmz_acl_in permit 50 any any
|
|
!
|
|
! Rule 12 (global)
|
|
access-list outside_acl_in permit ip object-group inside.id3C4E4C38.dst.net.0 object-group outside.pol-firewall2-3.dst.net.0
|
|
!
|
|
! Rule 13 (global)
|
|
! firewall:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule
|
|
access-list inside_acl_in permit tcp host 192.168.1.10 object-group inside.id3E155E82.dst.net.0 eq 3128
|
|
!
|
|
! Rule 14 (global)
|
|
access-list outside_acl_in permit tcp any object-group outside.id3D0F8031.dst.net.0 eq 3128
|
|
access-list inside_acl_in permit tcp any object-group outside.id3D0F8031.dst.net.0 eq 3128
|
|
access-list dmz_acl_in permit tcp any object-group outside.id3D0F8031.dst.net.0 eq 3128
|
|
!
|
|
! Rule 15 (global)
|
|
access-list outside_acl_in permit icmp any host 22.22.22.22 3
|
|
access-list inside_acl_in permit icmp any host 192.168.1.1 3
|
|
access-list dmz_acl_in permit icmp any host 192.168.2.1 3
|
|
access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
|
|
access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80
|
|
access-list dmz_acl_in permit tcp any host 192.168.2.1 eq 80
|
|
!
|
|
! Rule 16 (global)
|
|
access-list outside_acl_in permit tcp any object-group outside.id3CD87B1E.dst.net.0 object-group outside.id3CD87B1E.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any object-group outside.id3CD87B1E.dst.net.0 object-group outside.id3CD87B1E.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any object-group outside.id3CD87B1E.dst.net.0 object-group outside.id3CD87B1E.srv.tcp.0
|
|
!
|
|
! Rule 17 (global)
|
|
access-list outside_acl_in permit tcp any object-group outside.id3CD8770E.dst.net.0 object-group outside.id3CD87B1E.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any object-group outside.id3CD8770E.dst.net.0 object-group outside.id3CD87B1E.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any object-group outside.id3CD8770E.dst.net.0 object-group outside.id3CD87B1E.srv.tcp.0
|
|
!
|
|
! Rule 18 (global)
|
|
access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group outside.pol-firewall2-4.srv.tcp.0
|
|
access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group outside.pol-firewall2-4.srv.tcp.0
|
|
access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group outside.pol-firewall2-4.srv.tcp.0
|
|
!
|
|
! Rule 19 (global)
|
|
! objects hostA and hostB are
|
|
! redundant and should be removed by
|
|
! removeRedundantAddressesFromDst
|
|
access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
|
|
access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
|
|
access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
|
|
access-list outside_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000
|
|
access-list inside_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000
|
|
access-list dmz_acl_in permit udp any 192.168.1.0 255.255.255.0 eq 4000
|
|
!
|
|
! Rule 20 (global)
|
|
access-list outside_acl_in permit tcp any gt 1024 host 192.168.1.10 eq 80
|
|
access-list inside_acl_in permit tcp any gt 1024 host 192.168.1.10 eq 80
|
|
access-list dmz_acl_in permit tcp any gt 1024 host 192.168.1.10 eq 80
|
|
!
|
|
! Rule 23 (global)
|
|
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22
|
|
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1
|
|
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1
|
|
!
|
|
! Rule 24 (global)
|
|
access-list outside_acl_in permit ip host 22.22.22.22 any
|
|
access-list inside_acl_in permit ip host 192.168.1.1 any
|
|
access-list dmz_acl_in permit ip host 192.168.2.1 any
|
|
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
|
|
!
|
|
! Rule 25 (global)
|
|
access-list outside_acl_in deny ip any any
|
|
access-list inside_acl_in deny ip any any
|
|
access-list dmz_acl_in deny ip any any
|
|
|
|
|
|
access-group dmz_acl_in in interface dmz
|
|
access-group inside_acl_in in interface inside
|
|
access-group outside_acl_in in interface outside
|
|
|
|
clear xlate
|
|
clear static
|
|
clear global
|
|
clear nat
|
|
!
|
|
! Rule 0 (NAT)
|
|
global (outside) 1 interface
|
|
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
|
|
global (dmz) 1 interface
|
|
!
|
|
!
|
|
! Rule 1 (NAT)
|
|
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
|
|
!
|
|
! Rule 2 (NAT)
|
|
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
|
|
!
|
|
!
|
|
! Rule 3 (NAT)
|
|
global (outside) 1 22.22.22.0 netmask 255.255.255.0
|
|
!
|
|
!
|
|
! Rule 4 (NAT)
|
|
global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0
|
|
!
|
|
!
|
|
! Rule 5 (NAT)
|
|
static (inside,outside) tcp interface 25 192.168.1.10 25 0 0
|
|
!
|
|
! Rule 6 (NAT)
|
|
! firewall:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier.
|
|
global (inside) 8 interface
|
|
nat (dmz) 8 192.168.2.0 255.255.255.0 outside
|
|
!
|
|
! Rule 7 (NAT)
|
|
|
|
clear access-list nat0.inside
|
|
access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
|
|
nat (inside) 0 access-list nat0.inside
|
|
!
|
|
! Rule 8 (NAT)
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0
|
|
|
|
access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
|
|
!
|
|
! Rule 9 (NAT)
|
|
nat (dmz) 0 0 0
|
|
!
|
|
! Rule 10 (NAT)
|
|
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
|
|
!
|
|
! Rule 11 (NAT)
|
|
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
|
|
|
|
!
|
|
! Rule 0 (main)
|
|
!
|
|
! "Routing rule 0 (main)"
|
|
!
|
|
!
|
|
!
|
|
route outside 0.0.0.0 0.0.0.0 22.22.22.254 1
|
|
!
|
|
! Rule 1 (main)
|
|
!
|
|
! "Routing rule 1 (main)"
|
|
!
|
|
!
|
|
!
|
|
route inside 10.3.14.0 255.255.255.0 192.168.1.254 1
|
|
!
|
|
! Rule 2 (main)
|
|
!
|
|
! "Routing rule 2 (main)"
|
|
!
|
|
!
|
|
!
|
|
route inside 10.1.2.0 255.255.255.0 192.168.1.254 1
|
|
!
|
|
! Rule 3 (main)
|
|
!
|
|
! "Routing rule 3 (main)"
|
|
!
|
|
# firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
!
|
|
!
|
|
route 10.1.3.0 255.255.255.0 192.168.1.254 1
|
|
!
|
|
! Rule 4 (main)
|
|
!
|
|
! "Routing rule 4 (main)"
|
|
!
|
|
# firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
!
|
|
!
|
|
route inside 10.1.4.0 255.255.255.0 1
|
|
!
|
|
! Rule 5 (main)
|
|
!
|
|
! "Routing rule 5 (main)"
|
|
!
|
|
# firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule
|
|
!
|
|
!
|
|
route 10.1.5.0 255.255.255.0 1
|
|
!
|
|
! Rule 6 (main)
|
|
!
|
|
! "Routing rule 6 (main)"
|
|
!
|
|
!
|
|
!
|
|
route outside 33.33.33.0 255.255.255.0 22.22.22.100 1
|
|
!
|
|
! Rule 7 (main)
|
|
!
|
|
! "Routing rule 7 (main)"
|
|
!
|
|
|
|
!
|
|
! Epilog script:
|
|
!
|
|
|
|
! End of epilog script:
|
|
!
|