1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v5.0.1.3581
!
! Generated Wed Oct 19 16:51:04 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
! Emulate outbound ACLs: yes
! Generating outbound ACLs: no
! Assume firewall is part of any: yes
!
!# files: * firewall2.fw
!
! lots of different combinations of objects in the NAT rules
! C firewall2:Policy:1: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
!
! Prolog script:
!
!
! End of prolog script:
!
nameif eth0 inside security100
nameif eth1 outside security0
nameif eth2 dmz security50
no logging buffered
no logging console
no logging timestamp
no logging on
telnet timeout 5
clear ssh
aaa authentication ssh console LOCAL
ssh timeout 5
clear snmp-server
no snmp-server enable traps
clear ntp
no service resetinbound
no service resetoutside
no sysopt connection timewait
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
floodguard disable
!################
clear xlate
clear static
clear global
clear nat
clear access-list
clear icmp
clear telnet
clear object-group
object-group service id3D6EF08C.srv.tcp.0 tcp
port-object eq 80
port-object eq 119
exit
object-group network id3D8FCCDE.src.net.0
network-object host 192.168.1.10
network-object host 192.168.1.20
exit
!
! Rule 0 (eth1)
! Anti-spoofing rule
access-list outside_acl_in deny ip host 192.168.1.1 any log 6 interval 300
access-list outside_acl_in deny ip host 22.22.22.22 any log 6 interval 300
access-list outside_acl_in deny ip host 192.168.2.1 any log 6 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interval 300
!
! Rule 1 (eth1)
! Anti-spoofing rule
! firewall2:Policy:1: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
access-list inside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interval 300
!
! Rule 2 (global)
access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id3D6EF08C.srv.tcp.0
access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
access-list outside_acl_in permit tcp any host 22.22.22.22 eq 119
access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id3D6EF08C.srv.tcp.0
access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id3D6EF08C.srv.tcp.0
!
! Rule 3 (global)
access-list inside_acl_in permit ip object-group id3D8FCCDE.src.net.0 host 200.200.200.200
!
! Rule 4 (global)
access-list outside_acl_in permit ip host 200.200.200.200 object-group id3D8FCCDE.src.net.0
!
! Rule 6 (global)
access-list inside_acl_in deny ip any any
access-list outside_acl_in deny ip any any
access-list dmz_acl_in deny ip any any
access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
!
! Rule 0 (NAT)
access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nat0.inside
!
! Rule 1 (NAT)
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
!
! Rule 2 (NAT)
global (outside) 1 interface
access-list id3AFB66C8.0 permit ip 192.168.1.0 255.255.255.0 any
global (dmz) 1 interface
!
!
! Rule 3 (NAT)
access-list id3AFB66C8.0 permit ip host 192.168.1.10 any
!
access-list id3AFB66C8.0 permit ip host 192.168.1.20 any
!
!
! Rule 4 (NAT)
access-list id3AFB66C8.0 permit ip host 192.168.1.11 any
!
access-list id3AFB66C8.0 permit ip 192.168.1.12 255.255.255.252 any
!
!
! Rule 5 (NAT)
access-list id3D1C2292.0 permit ip 192.168.2.0 255.255.255.0 any
nat (dmz) 1 access-list id3D1C2292.0 0 0
!
! Rule 6 (NAT)
!
!
! Rule 7 (NAT)
global (outside) 1 interface
!
!
! Rule 8 (NAT)
!
!
! Rule 9 (NAT)
!
!
!
! Rule 10 (NAT)
global (outside) 1 22.22.22.0 netmask 255.255.255.0
!
!
! Rule 11 (NAT)
global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0
!
!
!
! Rule 12 (NAT)
global (dmz) 1 interface
access-list id3D1C1104.0 permit ip host 192.168.1.10 192.168.2.0 255.255.255.0
!
! Rule 13 (NAT)
access-list id3D1C1D30.0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 1 access-list id3D1C1D30.0 0 0
!
! Rule 14 (NAT)
!
!
! Rule 16 (NAT)
access-list id3D1BFFA4.0 permit ip host 192.168.1.10 any
static (inside,outside) interface access-list id3D1BFFA4.0 0 0
!
! Rule 17 (NAT)
access-list id3D1C0835.0 permit tcp host 192.168.1.10 eq 6667 any
static (inside,outside) tcp interface 6667 access-list id3D1C0835.0 0 0
!
! Rule 18 (NAT)
access-list id16986X27842.0 permit tcp host 192.168.1.1 eq 6667 any
static (inside,outside) tcp interface 6667 access-list id16986X27842.0 0 0
!
! Rule 19 (NAT)
access-list id414351C7.0 permit tcp host 192.168.1.10 eq 80 any
!
! Rule 20 (NAT)
access-list id414351C7.0 permit tcp host 192.168.1.10 eq 80 any
static (inside,outside) tcp interface 80 access-list id414351C7.0 0 0
!
! Rule 21 (NAT)
access-list id3AFB69BD.0 permit ip host 192.168.1.10 any
static (inside,outside) interface access-list id3AFB69BD.0 0 0
!
! Rule 22 (NAT)
access-list id3D1BFFCE.0 permit ip 192.168.1.0 255.255.255.0 any
static (inside,outside) 22.22.22.0 access-list id3D1BFFCE.0 0 0
!
! Rule 24 (NAT)
access-list id3D1BFFF6.0 permit ip host 192.168.1.10 192.168.2.0 255.255.255.0
static (inside,dmz) interface access-list id3D1BFFF6.0 0 0
!
! Rule 25 (NAT)
access-list id3BEEF6D2.0 permit tcp host 192.168.1.10 eq 119 any
static (inside,outside) tcp interface 119 access-list id3BEEF6D2.0 0 0
!
! Rule 27 (NAT)
access-list id3B7313C4.0 permit tcp host 192.168.1.10 eq 3128 any
static (inside,outside) tcp interface 80 access-list id3B7313C4.0 0 0
!
! Rule 28 (NAT)
access-list id47B6CF3421818.0 permit tcp host 192.168.1.10 eq 3128 any
!
! Rule 29 (NAT)
access-list id36573X14603.0 permit tcp host 192.168.1.10 eq 3128 any
static (inside,outside) tcp interface 80 access-list id36573X14603.0 0 0
!
! Rule 30 (NAT)
access-list id47B6CF3421818.0 permit tcp host 192.168.1.10 eq 3128 any
static (inside,outside) tcp interface 80 access-list id47B6CF3421818.0 0 0
!
! Epilog script:
!
! End of epilog script:
!
|
