[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Grouping Static Commands for Multiple Ports

Posted on 2009-02-10
6
Medium Priority
?
1,038 Views
Last Modified: 2013-11-16
Hello Experts -

I am having trouble cleaning up my ASA configuration regarding port forwarding.  All relevant code is below...

I have two service object groups with the appropriate ports listed.  Using those groups, I have an access-list defined that opens the ports for inbound traffic.  Now, I want to somehow eliminate all my static commands and group them using the access-list or some other method.  Is this possible?
object-group service demo_tcp_services tcp
 port-object eq 3000
 port-object eq 7000
 port-object eq 7021
 port-object range 8000 8003
 port-object range 9000 9001
object-group service demo_udp_services udp
 port-object eq 8875
 
access-list demos_ftp_outside_access_in extended permit tcp any host demo_ftp_servers object-group ftp_services 
access-list demos_ftp_outside_access_in extended permit tcp any host demo_ftp_servers object-group demo_tcp_services 
access-list demos_ftp_outside_access_in extended permit udp any host demo_ftp_servers object-group demo_udp_services 
 
static (inside,outside) tcp demo_ftp_servers 7000 192.168.4.18 7000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8000 192.168.4.18 8000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8001 192.168.4.18 8001 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8002 192.168.4.18 8002 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8003 192.168.4.18 8003 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 9000 192.168.4.18 9000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 9001 192.168.4.18 9001 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 3000 192.168.4.18 3000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 7021 192.168.4.18 7021 netmask 255.255.255.255 
static (inside,outside) udp demo_ftp_servers 8875 192.168.4.18 8875 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers ftp 192.168.4.14 ftp netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers ftp-data 192.168.4.14 ftp-data netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 7000 192.168.4.18 7000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8000 192.168.4.18 8000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8001 192.168.4.18 8001 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8002 192.168.4.18 8002 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8003 192.168.4.18 8003 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 9000 192.168.4.18 9000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 9001 192.168.4.18 9001 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 3000 192.168.4.18 3000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 7021 192.168.4.18 7021 netmask 255.255.255.255 
static (inside,inside) udp demo_ftp_servers 8875 192.168.4.18 8875 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers ftp 192.168.4.14 ftp netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers ftp-data 192.168.4.14 ftp-data netmask 255.255.255.255

Open in new window

0
Comment
Question by:chezbrgrs
  • 3
  • 3
6 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23604640
Best you can do is dedicate a public IP address to a private IP address instead of breaking out ports but really to be honest, there is no functional problem with the statics you have and gives you the flexibility to use a single public IP address to forward ports to different inside hosts.

0
 

Author Comment

by:chezbrgrs
ID: 23605072
I am using a single public IP and have different ports forwarding to different inside hosts.  It works great; however, I just wish I could clean up all those statics into one or two rules.  I thought I could do it with an access-list but I can't seem to get it to work without an overlapping error.  Is it not possible?
Thanks again for your help.
 
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 23605115
Honestly, I would leave it just the way it is.  You might be able to get creative and use a static with an access-list but it will provide the same functionality but with added complexity.  The static was designed to do just what you want it to do.  I really wouldn't mess with it.  If you use the ASDM, you won't have to see it :-)
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:chezbrgrs
ID: 23605133
Another comment...
I tried this command:
static (inside,outside) demo_ftp_servers access-list demos_ftp_outside_access_in
but it gave this error:
global address overlaps with mask
Any ideas?
0
 

Author Closing Comment

by:chezbrgrs
ID: 31545239
Thanks JFrederick29.  I appreciate your input.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23605180
Thanks and you are welcome.  Less complexity is better than a few extra lines in the config (trust me).
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month18 days, 16 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question