cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
1
Helpful
13
Replies

Grouping ACL’s into Objects on ISR ZBFW?

TheGoob
Level 4
Level 4

So, I currently have an ‘ip access-list extended OUTSIDE-TO-INSIDE’ so if I am correct and there can only be one OUT-TO-IN list, I assume I’ll have to add these to that.

Would this be correct;

 

ip access-list extended OUTSIDE-TO-INSIDE

   70 permit tcp any host 192.168.5.55 eq 80

   71 permit tcp any host 192.168.5.55 eq 443

   72 permit tcp any host 192.168.5.55 eq 3478

   73 permit tcp any host 192.168.5.55 eq 3479

   74 permit tcp any host 192.168.5.55 eq 3480

   75 permit udp any host 192.168.5.55 eq 3478

   77 permit udp any host 192.168.5.55 eq 3479

 

Is there a way to consolidate this? As in like an object PS5-Access and have those ports under it?

 

Also, I would need to create a NAT entry for each of those Ports WAN to LAN (192.168.5.55) so traffic knows where to go.

Third, I can’t change what 443 and 80 ports PS5 uses as it’s embedded as well as the servers, but being I can only have 1 80 and 1 443 on a network, how does this get resolved?

13 Replies 13

liviu.gheorghe
Spotlight
Spotlight

Hello @TheGoob ,

you could use object groups to consolidate your ACL's. For the ACL provided in your post, the configuration using object groups would be:

object-group network PS5
host 192.168.5.55
!
object-group service PS5-service
tcp eq 443
tcp range 3478 <end port number>
tcp eq www
udp range 3478 <end port number>

ip access-list extended OUTSIDE-TO-INSIDE
10 permit object-group PS5-service any object-group PS5

For the NAT part, I would leave the config as it is - from what I recall there are some static NAT and some inside source NAT with standard access lists.

The PS5 has the 443 and 80 tcp ports open and is identified by it's IP address. The pairing between the port number and IP address makes this unique on your network from the point of view of NAT. Another device can have the same ports opened and still be unique on the network because it has another IP address. Please elaborate on this if I didn't get the ideea.

Regards, LG
*** Please Rate All Helpful Responses ***

Oh wow I did not know I could do objects like that. 
How interesting I had assumed I would need some sort of port forwarding/NAT for it(outside) to know where to send the data to the .55 PS5, but the object group network/service does that. 
And you did get the idea I believe this is exactly what I was seeking.  I have not applied it yet but will as soon as I can.

thank you 

The other access-lists you have configured will need to be examined and re-written with objects if it makes sense.

Regards, LG
*** Please Rate All Helpful Responses ***

You mean if I So choose? Everything else at the is point is using simple port here and there… I suppose like my email server instead of having 2 I could create an object for that to consolidate as well but currently not sure what else I would need to rewrite. 

Yes, if you choose to do it, we can have a look at the classical ACL's. 

To be honest, I'm not sure what is the benefit. You will have smaller ACL's using object-groups, but the info regarding yje ports will move from the ACL to the oblect-group. Ok if you would have 20 or 30 hosts using 10 or15 ports each, I could see the benefit, but in your case it's not that big of a difference.

Regards, LG
*** Please Rate All Helpful Responses ***

Curious;

If said PS5 did not have a static IP and it randomly changes, being that the PS5 first initiates outgoing connection in order to receive incoming, is there a way to open those ports generically to the 192.168.5.0 Network where the PS5 resides and then would be open to whichever source LAN IP started connections?

The only way to open the ports generically is to configure a static NAT, but you don't need to do that if the traffic is originating from the inside.

Regards, LG
*** Please Rate All Helpful Responses ***

I wonder then if when the PS5 initiates it's Internet connectivity if it already allows incoming without ACL/NAT through that tunnel?

liviu.gheorghe
Spotlight
Spotlight

Without ACL or NAT configured, packet handling is governed by routing and firewall configuration.

Regards, LG
*** Please Rate All Helpful Responses ***

In truth I am not really sure what that means

So for now I will assume that if the PS5 ‘outbound’ connects to Internet based services such as voice chat, score keeping and server finding that the Window is now open and anything ‘inbound’ replying to those services even in other ports not initiated by the ‘outbound’ PS5 will be allowed without and ACL or NAT.

But my Email Server, for example, being that ‘incoming’ emails happen without an initiation from ‘outbound’ I’d still need a NAT entry so that the Router knows which LAN IP to send to as well as an ACL to allow random incoming connections on email ports. 


@TheGoob wrote:

In truth I am not really sure what that means

So for now I will assume that if the PS5 ‘outbound’ connects to Internet based services such as voice chat, score keeping and server finding that the Window is now open and anything ‘inbound’ replying to those services even in other ports not initiated by the ‘outbound’ PS5 will be allowed without and ACL or NAT.

I'm not sure why you are asking "without and ACL or NAT". In fact you have NAT configured - your PS5 IP address is a private RFC1918 address which is not routable on the Internet. In order for your PS5 to get to services like voice chat, score keeping and server finding, you are translating the private IP address of the PS5 to a public, routable, address. This is done by the ISR, which translates the private 192.168.x.0 addresses in your network to either one of the 8 public IP addresses you got from your ISP or the IP address of the Dialer1 interface.

And yes, in this case, as soon as the first IP packet from your PS5 gets translated, the ISR stores an entry in the NAT table to enable the return traffic to be translated back to the IP address of the PS5. This happens because in this case the traffic originates from the inside lan.

But my Email Server, for example, being that ‘incoming’ emails happen without an initiation from ‘outbound’ I’d still need a NAT entry so that the Router knows which LAN IP to send to as well as an ACL to allow random incoming connections on email ports. 


In this case the source traffic, a mail server that wants to send you a mail message, only knows your external IP address - the one you configured in your DNS as the MX record. For this type of traffic you need a static NAT to allow the outside mail server reach your inside/dmz host which by the way has also a private IP address.

Regards, LG
*** Please Rate All Helpful Responses ***

Correct, what I meant was a specific NAT in addition to the original ones I have. More specifically I was not sure that, when dealing with incoming connections from WAN to Specific LAN, I would need a NAT rule as in like a Port Forwarding. 
like I have my NAT WAN to LAN for my 192.168.1.0 (Email WAN and LAN) but also a NAT Entry routing incoming 993 to specific 192.168.1.180 on top of the NAT rule I have associating Network to WAN. 

Yes, you need different types of nat depending on the direction of the traffic - inside to outside or outside to inside.

Regards, LG
*** Please Rate All Helpful Responses ***