05-29-2013 10:13 PM - edited 03-11-2019 06:51 PM
I need the following ports forwarded for a single ip address
Is there an easy way to to it with service objects/groups?
Solved! Go to Solution.
05-29-2013 11:24 PM
Hi,
You didnt mention your firewall software level (since the NAT format has changed in the newer ones)
I am afraid you are bound to configure multiple Static PAT configurations whatever your software might be.
All the below configurations presume we are using the "outside" interface IP address as the public IP address. If a separate IP address is used you need to replace the "interface" with the public IP address. Also using a example local IP address and interface names.
For ASA software level 8.3+
object network STATIC-UDP88
host 10.10.10.10
nat (inside,outside) static interface service udp 88 88
object network STATIC-UDP3074
host 10.10.10.10
nat (inside,outside) static interface service udp 3074 3074
object network STATIC-TCP3074
host 10.10.10.10
nat (inside,outside) static interface service tcp 3074 3074
object network STATIC-UDP53
host 10.10.10.10
nat (inside,outside) static interface service udp 53 53
object network STATIC-TCP53
host 10.10.10.10
nat (inside,outside) static interface service tcp 53 53
object network STATIC-TCP80
host 10.10.10.10
nat (inside,outside) static interface service tcp 80 80
The below "object network" is just created to give a simple object to be used in the ACL
object network SERVER
host 10.10.10.10
object-group service SERVER-SERVICES
service-object udp destination eq 88
service-object udp destination eq 3074
service-object tcp destination eq 3074
service-object udp destination eq 53
service-object tcp destination eq 53
service-object tcp destination eq 80
access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER
For ASA software level 8.2 and earlier
static (inside,outside) udp interface 88 10.10.10.10 88 netmask 255.255.255.255
static (inside,outside) udp interface 3074 10.10.10.10 3074 netmask 255.255.255.255
static (inside,outside) tcp interface 3074 10.10.10.10 3074 netmask 255.255.255.255
static (inside,outside) udp interface 53 10.10.10.10 53 netmask 255.255.255.255
static (inside,outside) tcp interface 53 10.10.10.10 53 netmask 255.255.255.255
static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255
object-group service SERVER-SERVICES
service-object udp destination eq 88
service-object udp destination eq 3074
service-object tcp destination eq 3074
service-object udp destination eq 53
service-object tcp destination eq 53
service-object tcp destination eq 80
access-list OUTSIDE-IN permit object-group SERVER-SERVICES any interface outside
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Or ask more if needed
- Jouni
05-29-2013 11:24 PM
Hi,
You didnt mention your firewall software level (since the NAT format has changed in the newer ones)
I am afraid you are bound to configure multiple Static PAT configurations whatever your software might be.
All the below configurations presume we are using the "outside" interface IP address as the public IP address. If a separate IP address is used you need to replace the "interface" with the public IP address. Also using a example local IP address and interface names.
For ASA software level 8.3+
object network STATIC-UDP88
host 10.10.10.10
nat (inside,outside) static interface service udp 88 88
object network STATIC-UDP3074
host 10.10.10.10
nat (inside,outside) static interface service udp 3074 3074
object network STATIC-TCP3074
host 10.10.10.10
nat (inside,outside) static interface service tcp 3074 3074
object network STATIC-UDP53
host 10.10.10.10
nat (inside,outside) static interface service udp 53 53
object network STATIC-TCP53
host 10.10.10.10
nat (inside,outside) static interface service tcp 53 53
object network STATIC-TCP80
host 10.10.10.10
nat (inside,outside) static interface service tcp 80 80
The below "object network" is just created to give a simple object to be used in the ACL
object network SERVER
host 10.10.10.10
object-group service SERVER-SERVICES
service-object udp destination eq 88
service-object udp destination eq 3074
service-object tcp destination eq 3074
service-object udp destination eq 53
service-object tcp destination eq 53
service-object tcp destination eq 80
access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER
For ASA software level 8.2 and earlier
static (inside,outside) udp interface 88 10.10.10.10 88 netmask 255.255.255.255
static (inside,outside) udp interface 3074 10.10.10.10 3074 netmask 255.255.255.255
static (inside,outside) tcp interface 3074 10.10.10.10 3074 netmask 255.255.255.255
static (inside,outside) udp interface 53 10.10.10.10 53 netmask 255.255.255.255
static (inside,outside) tcp interface 53 10.10.10.10 53 netmask 255.255.255.255
static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255
object-group service SERVER-SERVICES
service-object udp destination eq 88
service-object udp destination eq 3074
service-object tcp destination eq 3074
service-object udp destination eq 53
service-object tcp destination eq 53
service-object tcp destination eq 80
access-list OUTSIDE-IN permit object-group SERVER-SERVICES any interface outside
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Or ask more if needed
- Jouni
05-30-2013 10:18 AM
I have 8.4 so Isn't there a way to just apply the object-group service SERVER-SERVICES to a single nat statement instead of listing them out sepearately? Weren't they trying to make it easier? That seems like more to do than the earlier version.
05-30-2013 10:25 AM
Yeah,
It does indeed seem that you end up "cluttering" the CLI configuration even more than in the older format.
But sadly, you CANT use an "object-group service" in the NAT configurations
For example if I created and "object-group service SERVICES" which contained ports TCP/80 and UDP/53 and attempted to use them in a NAT configuration command I get the following error
ERROR: SERVICES is not a valid service object name
- Jouni
05-30-2013 03:58 PM
How do I check that it's working? How can I see if it's applied correctly to an interface? I used the example for 8.3+ and above.
I don't see this command applied to an interface like the one you have for earlier version of software:
access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER
When I look in the gui, it doesn't show up anywhere, under access rules.
05-30-2013 06:52 PM
Do I really need all the nat statements you listed? Why can't I open the services to the ip address and apply it inbound on the outside interface as you showed in the 2nd part?
object network STATIC-UDP88
host 10.10.10.10
nat (inside,outside) static interface service udp 88 88
object network STATIC-UDP3074
host 10.10.10.10
nat (inside,outside) static interface service udp 3074 3074
object network STATIC-TCP3074
host 10.10.10.10
nat (inside,outside) static interface service tcp 3074 3074
object network STATIC-UDP53
host 10.10.10.10
nat (inside,outside) static interface service udp 53 53
object network STATIC-TCP53
host 10.10.10.10
nat (inside,outside) static interface service tcp 53 53
object network STATIC-TCP80
host 10.10.10.10
nat (inside,outside) static interface service tcp 80 80
05-30-2013 08:41 PM
Hi,
The "access-list" configuration I included in the configuration were just examples.
If you DONT have an existing ACL on the "outside" interface then you would need to use the command
access-group OUTSIDE-IN in interface outside
If you have a spare public IP address you could naturally configure Static NAT instead of all these Static PAT (Port Forward) configurations.
It would simply be
object network SERVER
host 10.10.10.10
nat (inside,outside) static x.x.x.x
object-group service SERVER-SERVICES
service-object udp destination eq 88
service-object udp destination eq 3074
service-object tcp destination eq 3074
service-object udp destination eq 53
service-object tcp destination eq 53
service-object tcp destination eq 80
access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER
access-group OUTSIDE-IN in interface outside
- Jouni
05-30-2013 08:45 PM
Also,
If you wanted to test that the ports are open you could use the "packet-tracer" command
For example
packet-tracer input outside tcp 1.2.3.4 12345
Where
Changing the above "tcp" to "udp" and the destination port to something else will naturally let you test the other opened services against the ASAs configurations and see if they are configured correctly.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide