09-12-2013 07:31 AM - edited 03-11-2019 07:37 PM
Hi,
As most of you know, firewall configurations can growth to be large and complex, making them hard to understand and difficult to change.
I have one firewall configuration running 8.4 which I want to cleanup using Network and Service Objects and Object-Groups. This ASA (8.4) has over 30 Web Server VM's deployed behind it each with the same basic configuration: one-to-one outside to inside IP address and port mapping (x.x.x.x:ftp to y.y.y.y:ftp, etc) using the following well known ports: FTP, 80, 443, 3389.
Examples from my existing configuration:
object network Y.Y.Y.Y_FTP
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp ftp ftp
object network Y.Y.Y.Y_WWW
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp http http
object network Y.Y.Y.Y_HTTPS
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp 443 443
object network Y.Y.Y.Y_RDP
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp 3389 3389
access-list outside_in extended permit tcp any host y.y.y.66 eq ftp
access-list outside_in extended permit tcp any host y.y.y.66 eq www
access-list outside_in extended permit tcp any host y.y.y.66 eq 3389
access-list outside_in extended permit tcp any host y.y.y.66 eq 443
The above entries for each port have to be done each time a new VM is deployed behind this firewall.
Below are my proposed ACE and object-group service entries to clean up the configuration.
object-group service WWW_FTP
description HTTP FTP Access
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
object-group service WWW_FTP_RDP
description WWW FTP RPD Access
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq 3389
object-group service WWW_FTP_RDP_SSH
description WWW FTP RDP SSH Access
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq 443
service-object tcp destination eq 3389
object-group service RDP_SSH
description RDP SSH Access
service-object tcp destination eq 443
service-object tcp destination eq 3389
object-group service RDP_SSH_FTP
description RDP SSH FTP Access
service-object tcp destination eq 443
service-object tcp destination eq 3389
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service RDP_FTP
description RDP FTP Access
service-object tcp destination eq 3389
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
access-list outside_in extended permit object-group WWW_FTP_RPD any host Y.Y.Y.Y
access-list outside_in extended permit object-group WWW_FTP_RDP_SSH any host Y.Y.Y.Y
access-list outside_in extended permit object-group WWW_FTP any host Y.Y.Y.Y
access-list outside_in extended permit object-group RDP_FTP any host Y.Y.Y.Y
access-list outside_in extended permit object-group RDP_SSH_FTP any host Y.Y.Y.Y
access-list outside_in extended permit object-group RDP_SSH any host Y.Y.Y.Y
The challenge lies in how to consolidate object network entries below into something more condensed like the object-group service entries.
object network Y.Y.Y.Y_FTP
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp ftp ftp
object network Y.Y.Y.Y_WWW
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp http http
object network Y.Y.Y.Y_HTTPS
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp 443 443
object network Y.Y.Y.Y_RDP
host y.y.y.66
nat (inside,outside) static X.X.X.66 service tcp 3389 3389
Any help is greatly appreciated!
Solved! Go to Solution.
09-12-2013 07:40 AM
Hi,
I am afraid that the only part of the configuration you can really modify and make more condenced is the ACL configurations using the different "object-group" configurations.
Naturally you can also create an "object-group" for all the servers that need the same ports opened to again minimize the actual configurations lines in the CLI configuration.
However,
When it comes to the NAT configurations there is sadly no way to minimize the amount of configurations needed if you are using Static PAT (Port Forward) for the servers. There is no way at the moment to group ports for "nat" configurations.
My question to you is, do you have less public IP addresses at your disposal compared to the amount of different servers in your network behind the ASA?
If you have a dedicated public IP address for each server in the network then I would suggest using Static NAT instead of Static PAT. This is pretty much the only way that the NAT configuration amount could be minimized.
- Jouni
09-12-2013 08:13 AM
Hi,
Yes, essentially each server would only have a single Static NAT configuration and the required ACL statement to open the services needed.
Basic format is
object network
host
nat (source-int,destination-int) static
In our customer environments if the customer has enough public IP addresses we use Static NAT always for this.
ACL should be used to control what traffic/service/port is allowed. I wouldnt use Static PAT as a means to control what connections are allowed. I would rather keep the NAT simple and use the ACL for the purpose which it was created for.
- Jouni
09-12-2013 07:40 AM
Hi,
I am afraid that the only part of the configuration you can really modify and make more condenced is the ACL configurations using the different "object-group" configurations.
Naturally you can also create an "object-group" for all the servers that need the same ports opened to again minimize the actual configurations lines in the CLI configuration.
However,
When it comes to the NAT configurations there is sadly no way to minimize the amount of configurations needed if you are using Static PAT (Port Forward) for the servers. There is no way at the moment to group ports for "nat" configurations.
My question to you is, do you have less public IP addresses at your disposal compared to the amount of different servers in your network behind the ASA?
If you have a dedicated public IP address for each server in the network then I would suggest using Static NAT instead of Static PAT. This is pretty much the only way that the NAT configuration amount could be minimized.
- Jouni
09-12-2013 07:59 AM
Where I work, we have plenty of IPV4 addresses available but do not want to open any more ports than we have to. If we chance our mind, static NAT entries would look like:
object network Y.Y.Y.Y_66
host y.y.y.66
nat (inside,outside) static X.X.X.66
object network Y.Y.Y.Y_67
host y.y.y.67
nat (inside,outside) static X.X.X.67
Correct?
Thanks for your quick reply!
d
09-12-2013 08:13 AM
Hi,
Yes, essentially each server would only have a single Static NAT configuration and the required ACL statement to open the services needed.
Basic format is
object network
host
nat (source-int,destination-int) static
In our customer environments if the customer has enough public IP addresses we use Static NAT always for this.
ACL should be used to control what traffic/service/port is allowed. I wouldnt use Static PAT as a means to control what connections are allowed. I would rather keep the NAT simple and use the ACL for the purpose which it was created for.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide