Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Object Groups and NAT in the PIX/ASA

Posted on 2009-07-07
7
Medium Priority
?
399 Views
Last Modified: 2012-08-13
I want to use a network object group for access lists on my ASA 5510.

If I did:

(config)#object-group network ftp_servers

(config-network)#network-object host 10.1.1.14
(config-network)#network-object host myFTPserver

should the network object be a PUBLIC/EXTERNAL address? Because if the access list normally references the external address, using the object group within the list would require this yes?


0
Comment
Question by:AsenathWaite
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24795093
no,

according to the example you possibly followed on

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

it mentions

config-network)#network-object 10.1.1.32 255.255.255.224  // " -Which is a private internal address"
(config-network)#exit

(config)#access-list 101 permit ip any object-group ftp_servers

If this list consists only of FTP servers, this specific example applies.

(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp - using the ACL entry, you can allow user from the external net inside you internal net

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24795153
Yes, but if that FTP server is also statically natted

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

the external hosts would connect to this machine at its public address.

So how can the object group reference work if it is comprised of internal addresses?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24796757
Hi,

sure, port fowarding

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22565747.html

how many ftp servers are you going to run in your lan?

Jfer
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AsenathWaite
ID: 24797201
port forwarding isn't the issue. The issue is between NAT and the object group.

In other words, the FTP servers that are listed in the object group--should the ip address in the group be public or private?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24799260
ah,

i understand what you are trying to do now

please read the last part of p.152

http://books.google.com/books?id=8V344jtobEEC&pg=PA146&lpg=PA146&dq=ftp+object+group&source=bl&ots=h6M_kIbsaX&sig=A9zmvr1CEo-Relol8yHpKZq0DH4&hl=en&ei=RbhTSo6VAomoNtqx_eQI&sa=X&oi=book_result&ct=result&resnum=10 

p.152 last entries

1. make a group called ftp servers, as you did
2. specify the hosts of the group, which you started
3. make an ACL entry for the group,to permit or deny the traffic desired

this is all you can do with this

you have to port forward, like you pasted in the example

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

for all ftp servers, you cannot just bunch them up in a group, and expect this to be accomplished, by making one route to a group-name, although, that would be ingenious

The FTP servers will need a both private and public ips mappings, since you are using NAT

so i cannot believe, appending a public ip to a group will solve anything, seeing as there are more than one ip address that needs mapping

the grouping you are using, is for ACL rules, not the actual individual mappings, which you require

are you trying to accomplish Load Balancing by any chance?

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24808370
so let's say I have three FTP servers (192.168.0.2-4)

I create three static nat statements

nat (inside,outside) tcp 65.200.200.1 21 192.168.0.2 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.2 21 192.168.0.3 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.3 21 192.168.0.4 21 netmask 255.255.255.255

then I creat the object group

(config)#object-group network ftp_servers
(config-network)#network-object host 65.200.200.2
(config-network)#network-object host 65.200.200.3
(config-network)#network-object host 65.200.200.4


and then apply the ACL using the above list? Or should that list contain the private addresses?
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 200 total points
ID: 24808967
yes

apply the acl to the group name

that way, you manage efficiently access changes to the ftp group

Jfer
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question