cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


2097
Views
0
Helpful
1
Replies
Highlighted

Using Object-Groups for easy maintain ASA Configurations.

Hi

Before I get started, a huge "Thank You!" to Varun and everyone else for all your help with my previous questions. You have made life a lot easier for me.

After reading the post titled "ASA 5520 nat access-list query for internet access" I realized the object-group command could and should be used to make a more efficient and cleaner configuration. My current environment is very small and straight forward consisting of one FTP server in the DMZ. Though the guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml is straight forward, my inexperience hinders me from seeing how to use the commands effectively. A summary of the configuration is at the bottom of this post

Question:

How can I clean up my current configuration? I have two references to the same server, dmz-rdp and dmz-ftp, created for port forwarding ports 3389 and ftp through the outside interface. I can combine them into one object statement, right?

for each port I want to forward through the outside interface?

object network dmz-rdp

host 10.10.10.4

nat (DMZ,outside) static interface service tcp 3389 3389

AND

object network dmz-ftp

host 10.10.10.4

nat (DMZ,outside) static interface service tcp ftp ftp

INTO

object network FTPserver

host 10.0.0.4

nat (DMZ,outside) static interface service tcp ftp ftp

nat (DMZ,outside) static interface service tcp 3389 3389

Or do I have repeat:    

object network <name>

host 10.10.10.4

nat (DMZ,outside) static interface service PROTOCOL PORT PORT

for each port I want to forward through the outside interface?

ASA Configuration Summary:

ASA 5505 running 8.4(2)

PAT is used on the outside interface for the Inside and the DMZ interfaces.

Ports 3389 (RDP) and FTP ports are forwarded from the outside interface to the DMZ

Ports 3389 (RDP) and FTP ports are allowed in using the DMZ_access_in extended ACL.

Two objects (dmz-rdp and dmz-ftp) were created for port redirection

Vlan1: Inside: security-level 100

ip address 192.168.0.1 255.255.255.0

Vlan2: Outside: security-level 0

ip address YYY.XXX.144.15 255.255.254.0

Vlan3: DMZ: security-level 50ip address 10.10.10.1 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network DMZ

subnet 10.10.10.0 255.255.255.0

object network dmz-rdp

host 10.10.10.4

object network dmz-ftp

host 10.10.10.4

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list out_in_log extended deny ip any any log

access-list DMZ_access_in extended permit object-group TCPUDP any any eq 3389

access-list DMZ_access_in extended permit object-group TCPUDP any any eq 20

access-list DMZ_access_in extended permit object-group TCPUDP any any eq 21

access-group DMZ_access_in in interface outside

Any help is greatly appreciated.

d

1 REPLY 1
Engager

Using Object-Groups for easy maintain ASA Configurations.

Hi Doug,

Good to see you again

I would like to answer your questions one by one, taking an exmaple from your configuration:

object network dmz-rdp

host 10.10.10.4

nat (DMZ,outside) static interface service tcp 3389 3389

AND

object network dmz-ftp

host 10.10.10.4

nat (DMZ,outside) static interface service tcp ftp ftp

INTO

object network FTPserver

host 10.0.0.4

nat (DMZ,outside) static interface service tcp ftp ftp

nat (DMZ,outside) static interface service tcp 3389 3389

The above two statements cannot be merged together, reason being. The nat statement is a feature of a specific object and when you specify the nat then that object gets binded to only that nat statement only. This is only in the case of Auto-Nat. If you are using Manual Nat then you can use same object in multiple nats, something like this:

object network dmz-rdp

host 10.10.10.4

object service tcp_3389

  service tcp destination eq 3389

object service tcp_ftp

  service tcp destination eq 21

nat (outside,inside) source static any any destination static interface dmz-rdp service tcp_3389 tcp_3389

nat (outside,inside) source static any any destination static interface dmz-rdp service tcp_ftp tcp_ftp

The above nat statements are excatly the same as in your config.

Now you might be curious where to use the object-group, here you can use it:

object-group service doug_netpro

port-object eq 3389

port-object eq 21

port-object eq 20

access-list DMZ_access_in extended permit object-group TCPUDP any any object-group doug_netpro

So this reduces your Access-list.

How to use it in Nat:

object-group network Test

network-object host 10.10.10.10

network-object 192.168.1.0 255.255.255.0

nat (inside,outside) source dynamic Test interface

Here's the command ref:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/no.html#wp1815632

Hope this must have made things easier for yu, do let me know if you have any questions.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC