static nat and service port groups

Andrew Meyer · ‎01-06-2014

I need some help with opening ports on my ASA using firmware 9.1.2.

I read earlier today that I can create service groups and tie ports to those. But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ?

I have the ACL -

access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside

Can this statement

object network obj-ExchangeSever-smtp

nat (inside,outside) static interface service tcp smtp smtp

reference the service port groups instead?

Thanks,

Andrew

Jouni Forss · ‎01-06-2014

Hi,

Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?

Well you can for example configure this kind of "object-group"

object-group service SERVER-PORTS

service-object tcp destination eq www

service-object tcp destination eq ftp

service-object tcp destination eq https

service-object icmp echo

access-list OUTSIDE-IN permit object-group SERVER-PORTS any object

The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)

I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?

You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.

Hope this helps

- Jouni