We help IT Professionals succeed at work.

Grouping Static Commands for Multiple Ports

Medium Priority
1,083 Views
Last Modified: 2013-11-16
Hello Experts -

I am having trouble cleaning up my ASA configuration regarding port forwarding.  All relevant code is below...

I have two service object groups with the appropriate ports listed.  Using those groups, I have an access-list defined that opens the ports for inbound traffic.  Now, I want to somehow eliminate all my static commands and group them using the access-list or some other method.  Is this possible?
object-group service demo_tcp_services tcp
 port-object eq 3000
 port-object eq 7000
 port-object eq 7021
 port-object range 8000 8003
 port-object range 9000 9001
object-group service demo_udp_services udp
 port-object eq 8875
 
access-list demos_ftp_outside_access_in extended permit tcp any host demo_ftp_servers object-group ftp_services 
access-list demos_ftp_outside_access_in extended permit tcp any host demo_ftp_servers object-group demo_tcp_services 
access-list demos_ftp_outside_access_in extended permit udp any host demo_ftp_servers object-group demo_udp_services 
 
static (inside,outside) tcp demo_ftp_servers 7000 192.168.4.18 7000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8000 192.168.4.18 8000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8001 192.168.4.18 8001 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8002 192.168.4.18 8002 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 8003 192.168.4.18 8003 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 9000 192.168.4.18 9000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 9001 192.168.4.18 9001 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 3000 192.168.4.18 3000 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers 7021 192.168.4.18 7021 netmask 255.255.255.255 
static (inside,outside) udp demo_ftp_servers 8875 192.168.4.18 8875 netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers ftp 192.168.4.14 ftp netmask 255.255.255.255 
static (inside,outside) tcp demo_ftp_servers ftp-data 192.168.4.14 ftp-data netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 7000 192.168.4.18 7000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8000 192.168.4.18 8000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8001 192.168.4.18 8001 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8002 192.168.4.18 8002 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 8003 192.168.4.18 8003 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 9000 192.168.4.18 9000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 9001 192.168.4.18 9001 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 3000 192.168.4.18 3000 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers 7021 192.168.4.18 7021 netmask 255.255.255.255 
static (inside,inside) udp demo_ftp_servers 8875 192.168.4.18 8875 netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers ftp 192.168.4.14 ftp netmask 255.255.255.255 
static (inside,inside) tcp demo_ftp_servers ftp-data 192.168.4.14 ftp-data netmask 255.255.255.255

Open in new window

Comment
Watch Question

Top Expert 2009

Commented:
Best you can do is dedicate a public IP address to a private IP address instead of breaking out ports but really to be honest, there is no functional problem with the statics you have and gives you the flexibility to use a single public IP address to forward ports to different inside hosts.

Author

Commented:
I am using a single public IP and have different ports forwarding to different inside hosts.  It works great; however, I just wish I could clean up all those statics into one or two rules.  I thought I could do it with an access-list but I can't seem to get it to work without an overlapping error.  Is it not possible?
Thanks again for your help.
 
Top Expert 2009
Commented:
Honestly, I would leave it just the way it is.  You might be able to get creative and use a static with an access-list but it will provide the same functionality but with added complexity.  The static was designed to do just what you want it to do.  I really wouldn't mess with it.  If you use the ASDM, you won't have to see it :-)

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Another comment...
I tried this command:
static (inside,outside) demo_ftp_servers access-list demos_ftp_outside_access_in
but it gave this error:
global address overlaps with mask
Any ideas?

Author

Commented:
Thanks JFrederick29.  I appreciate your input.
Top Expert 2009

Commented:
Thanks and you are welcome.  Less complexity is better than a few extra lines in the config (trust me).
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.