AsenathWaite
asked on
Object Groups and NAT in the PIX/ASA
I want to use a network object group for access lists on my ASA 5510.
If I did:
(config)#object-group network ftp_servers
(config-network)#network-o bject host 10.1.1.14
(config-network)#network-o bject host myFTPserver
should the network object be a PUBLIC/EXTERNAL address? Because if the access list normally references the external address, using the object group within the list would require this yes?
If I did:
(config)#object-group network ftp_servers
(config-network)#network-o
(config-network)#network-o
should the network object be a PUBLIC/EXTERNAL address? Because if the access list normally references the external address, using the object group within the list would require this yes?
ASKER
Yes, but if that FTP server is also statically natted
static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255
the external hosts would connect to this machine at its public address.
So how can the object group reference work if it is comprised of internal addresses?
static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255
the external hosts would connect to this machine at its public address.
So how can the object group reference work if it is comprised of internal addresses?
Hi,
sure, port fowarding
https://www.experts-exchange.com/questions/22565747/Port-forwarding-with-Cisco-ASA-5505-NAT-PAT.html
how many ftp servers are you going to run in your lan?
Jfer
sure, port fowarding
https://www.experts-exchange.com/questions/22565747/Port-forwarding-with-Cisco-ASA-5505-NAT-PAT.html
how many ftp servers are you going to run in your lan?
Jfer
ASKER
port forwarding isn't the issue. The issue is between NAT and the object group.
In other words, the FTP servers that are listed in the object group--should the ip address in the group be public or private?
In other words, the FTP servers that are listed in the object group--should the ip address in the group be public or private?
ah,
i understand what you are trying to do now
please read the last part of p.152
http://books.google.com/books?id=8V344jtobEEC&pg=PA146&lpg=PA146&dq=ftp+object+group&source=bl&ots=h6M_kIbsaX&sig=A9zmvr1CEo-Relol8yHpKZq0DH4&hl=en&ei=RbhTSo6VAomoNtqx_eQI&sa=X&oi=book_result&ct=result&resnum=10
p.152 last entries
1. make a group called ftp servers, as you did
2. specify the hosts of the group, which you started
3. make an ACL entry for the group,to permit or deny the traffic desired
this is all you can do with this
you have to port forward, like you pasted in the example
static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255
for all ftp servers, you cannot just bunch them up in a group, and expect this to be accomplished, by making one route to a group-name, although, that would be ingenious
The FTP servers will need a both private and public ips mappings, since you are using NAT
so i cannot believe, appending a public ip to a group will solve anything, seeing as there are more than one ip address that needs mapping
the grouping you are using, is for ACL rules, not the actual individual mappings, which you require
are you trying to accomplish Load Balancing by any chance?
Jfer
i understand what you are trying to do now
please read the last part of p.152
http://books.google.com/books?id=8V344jtobEEC&pg=PA146&lpg=PA146&dq=ftp+object+group&source=bl&ots=h6M_kIbsaX&sig=A9zmvr1CEo-Relol8yHpKZq0DH4&hl=en&ei=RbhTSo6VAomoNtqx_eQI&sa=X&oi=book_result&ct=result&resnum=10
p.152 last entries
1. make a group called ftp servers, as you did
2. specify the hosts of the group, which you started
3. make an ACL entry for the group,to permit or deny the traffic desired
this is all you can do with this
you have to port forward, like you pasted in the example
static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255
for all ftp servers, you cannot just bunch them up in a group, and expect this to be accomplished, by making one route to a group-name, although, that would be ingenious
The FTP servers will need a both private and public ips mappings, since you are using NAT
so i cannot believe, appending a public ip to a group will solve anything, seeing as there are more than one ip address that needs mapping
the grouping you are using, is for ACL rules, not the actual individual mappings, which you require
are you trying to accomplish Load Balancing by any chance?
Jfer
ASKER
so let's say I have three FTP servers (192.168.0.2-4)
I create three static nat statements
nat (inside,outside) tcp 65.200.200.1 21 192.168.0.2 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.2 21 192.168.0.3 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.3 21 192.168.0.4 21 netmask 255.255.255.255
then I creat the object group
(config)#object-group network ftp_servers
(config-network)#network-o bject host 65.200.200.2
(config-network)#network-o bject host 65.200.200.3
(config-network)#network-o bject host 65.200.200.4
and then apply the ACL using the above list? Or should that list contain the private addresses?
I create three static nat statements
nat (inside,outside) tcp 65.200.200.1 21 192.168.0.2 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.2 21 192.168.0.3 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.3 21 192.168.0.4 21 netmask 255.255.255.255
then I creat the object group
(config)#object-group network ftp_servers
(config-network)#network-o
(config-network)#network-o
(config-network)#network-o
and then apply the ACL using the above list? Or should that list contain the private addresses?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
according to the example you possibly followed on
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
it mentions
config-network)#network-ob
(config-network)#exit
(config)#access-list 101 permit ip any object-group ftp_servers
If this list consists only of FTP servers, this specific example applies.
(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp - using the ACL entry, you can allow user from the external net inside you internal net
Jfer