chezbrgrs
asked on
Grouping Static Commands for Multiple Ports
Hello Experts -
I am having trouble cleaning up my ASA configuration regarding port forwarding. All relevant code is below...
I have two service object groups with the appropriate ports listed. Using those groups, I have an access-list defined that opens the ports for inbound traffic. Now, I want to somehow eliminate all my static commands and group them using the access-list or some other method. Is this possible?
I am having trouble cleaning up my ASA configuration regarding port forwarding. All relevant code is below...
I have two service object groups with the appropriate ports listed. Using those groups, I have an access-list defined that opens the ports for inbound traffic. Now, I want to somehow eliminate all my static commands and group them using the access-list or some other method. Is this possible?
object-group service demo_tcp_services tcp
port-object eq 3000
port-object eq 7000
port-object eq 7021
port-object range 8000 8003
port-object range 9000 9001
object-group service demo_udp_services udp
port-object eq 8875
access-list demos_ftp_outside_access_in extended permit tcp any host demo_ftp_servers object-group ftp_services
access-list demos_ftp_outside_access_in extended permit tcp any host demo_ftp_servers object-group demo_tcp_services
access-list demos_ftp_outside_access_in extended permit udp any host demo_ftp_servers object-group demo_udp_services
static (inside,outside) tcp demo_ftp_servers 7000 192.168.4.18 7000 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 8000 192.168.4.18 8000 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 8001 192.168.4.18 8001 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 8002 192.168.4.18 8002 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 8003 192.168.4.18 8003 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 9000 192.168.4.18 9000 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 9001 192.168.4.18 9001 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 3000 192.168.4.18 3000 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers 7021 192.168.4.18 7021 netmask 255.255.255.255
static (inside,outside) udp demo_ftp_servers 8875 192.168.4.18 8875 netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers ftp 192.168.4.14 ftp netmask 255.255.255.255
static (inside,outside) tcp demo_ftp_servers ftp-data 192.168.4.14 ftp-data netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 7000 192.168.4.18 7000 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 8000 192.168.4.18 8000 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 8001 192.168.4.18 8001 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 8002 192.168.4.18 8002 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 8003 192.168.4.18 8003 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 9000 192.168.4.18 9000 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 9001 192.168.4.18 9001 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 3000 192.168.4.18 3000 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers 7021 192.168.4.18 7021 netmask 255.255.255.255
static (inside,inside) udp demo_ftp_servers 8875 192.168.4.18 8875 netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers ftp 192.168.4.14 ftp netmask 255.255.255.255
static (inside,inside) tcp demo_ftp_servers ftp-data 192.168.4.14 ftp-data netmask 255.255.255.255
Best you can do is dedicate a public IP address to a private IP address instead of breaking out ports but really to be honest, there is no functional problem with the statics you have and gives you the flexibility to use a single public IP address to forward ports to different inside hosts.
ASKER
I am using a single public IP and have different ports forwarding to different inside hosts. It works great; however, I just wish I could clean up all those statics into one or two rules. I thought I could do it with an access-list but I can't seem to get it to work without an overlapping error. Is it not possible?
Thanks again for your help.
Thanks again for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Another comment...
I tried this command:
I tried this command:
static (inside,outside) demo_ftp_servers access-list demos_ftp_outside_access_ibut it gave this error:n
global address overlaps with maskAny ideas?
ASKER
Thanks JFrederick29. I appreciate your input.
Thanks and you are welcome. Less complexity is better than a few extra lines in the config (trust me).