Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5644
Views
1
Helpful
7
Replies

Static NAT with Service Object-group to host multiple services on a single server

Muhammad Asad
Level 1
Level 1

‎08-17-2016 11:51 PM - edited ‎03-12-2019 01:08 AM

Hello all,

I am running ASA 5525-X 9.6(1)

I have a machine on inside with ip 172.16.X.250 which want to host multiple services (i.e. http, https, ssh, ftp) to be accessed from outside via 121.x.x.y

 just want to know if I can use object-group service to gather and allow all services above in a single static nat command

I want a configuration that might look somewhat similar to following.

OPTION-1

----------------

object-group service GPS-ENV-VL43
  service-object tcp-udp destination eq www
  service-object tcp destination eq https
  service-object tcp destination eq ftp
  service-object tcp destination eq ssh
exit


object network 172.16.X.250_ENV_GPS_LOCAL
 host 172.16.X.250
 nat (inside,outside) static 121.x.x.y service GPS-ENV-VL43 GPS-ENV-VL43 (not able to use service object-group)

OPTION-2

----------------

object-group service GPS-ENV-VL43
  service-object tcp-udp destination eq www
  service-object tcp destination eq https
  service-object tcp destination eq ftp
  service-object tcp destination eq ssh

exit


object network 172.16.x.250_ENV_GPS_LOCAL
 host 172.16.43.250
exit


 object network 121.x.x.y_ENV_GPS_GLOBAL
 host 121.x.x.y
exit


nat (inside,outside) source static 172.16.x.250_ENV_GPS_LOCAL 121.x.x.x_ENV_GPS_GLOBAL service GPS-ENV-VL43 GPS-ENV-VL43 (unable to use object-group services here)



1 person had this problem
Labels:
0 Helpful
7 Replies 7

Luke Oxley
Level 1
Level 1

‎08-18-2016 04:48 PM

AsadArainMuet,
Thanks for your post. Luckily as you're running ASA version 9.6 you'll be able to logically group these service in to one single NAT statement. The new syntax is along the lines of the following example (tailor this to your environment, of course).
1. Create an object group for the needed source ports. These will be the ports that the remote peer is trying to connect using. In my example I've just done a range of ports TCP 21-53. 
object service SERVER_SOURCE_PORTS
 service tcp source range 21 53

2. Create an object group for the translated ports. This will be the ports you wish the ASA to use to connect to the device on the inside or DMZ of your network. In my example, I've just done the same ports.

object service SERVER_PORTS_XLATE
 service tcp source range 21 53
3. Create two object groups. One for the internal IP address of the server and one for the NAT'd address you wish to use.
object network SERVER_OUTSIDE
 host 10.1.1.1
object network SERVER_OUTSIDE
 host 10.2.2.2

4. Lastly, tie this all together with something similar to the following NAT statement.

nat (inside,outside) source static SERVER_INSIDE SERVER_OUTSIDE service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE
The NAT statements work on a source -> destination basis. List source first, then destination. Have a go at using the above method and let me know how you get along. If you still struggle, please attach a full sanitised configuration and I'll take a look and tailor some configuration for you.
I look forward to hearing back.

Warm regards,
Luke

0 Helpful

Muhammad Asad
Level 1
Level 1
In response to Luke Oxley

‎08-18-2016 09:22 PM

Luke Oxley thanks for the reply, however it didn't work, see my config and error in the end

object-group service GPS-ENV-VL43-PORTS
  service tcp source eq  http
  service tcp source eq https
  service tcp source eq ftp
  service tcp source eq ssh
exit

object-group service GPS-ENV-XLATE
  service tcp source eq http
  service tcp source eq https
  service tcp source eq ftp
  service tcp source eq ssh
exit


object network GPS-ENV-LOCAL
 host 172.16.X.250

 
object network GPS-ENV-GLOBAL
 host 121.X.X.Y



MUET -EDGE-FW(config)# nat (inside,outside) source static GPS-ENV-LOCAL GPS-ENV-GLOBAL service GPS-ENV-VL43-PORTS GPS-ENV-XLATE


ERROR: GPS-ENV-VL43-PORTS is not a valid service object name (I believe it accepts service object only and not the service object-group )

Regards

0 Helpful

Luke Oxley
Level 1
Level 1
In response to Muhammad Asad

‎08-19-2016 05:32 AM

AsadArainMuet,

Correct. In my post I asked you to create "object service", not "object-group service". Please follow my configuration example closer and try again.

Best regards,
Luke

0 Helpful

Muhammad Asad
Level 1
Level 1
In response to Luke Oxley

‎08-23-2016 09:12 PM

Dear Luke Oxley,

When you create service object and hit multiple ports under it, you end up with only last command left, see the following example.

FW(config)# object  service GPS-ENV-XLATE
FW(config-service-object)#   service tcp source eq http
FW(config-service-object)#   service tcp source eq https
FW(config-service-object)#   service tcp source eq ftp
FW(config-service-object)#   service tcp source eq ssh
FW(config-service-object)#
FW(config-service-object)# exit

FW# sh run object service         
object service GPS-ENV-XLATE
 service tcp source eq ssh
FW#

Also note that the ports I am trying to create object services for, are not continuous or contiguous, they are random ports.

0 Helpful

Luke Oxley
Level 1
Level 1
In response to Muhammad Asad

‎08-26-2016 10:32 AM

AsadArainMuet,

Apologies. I'll spin this up in my lab tonight and get some commands together. My memory must be failing me.

Cheers,
Luke

Please rate helpful posts and mark correct answers.
0 Helpful

statsoladmin
Level 1
Level 1

‎09-30-2024 01:08 PM

Was there ever a resolution to this? I'm running into the same thing. I would like to clean up some NAT statements by condensing them down.

MHM Cisco World
VIP
VIP
In response to statsoladmin

‎09-30-2024 01:11 PM

Make new post 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card