Solved

Object Groups and NAT in the PIX/ASA

Posted on 2009-07-07
7
395 Views
Last Modified: 2012-08-13
I want to use a network object group for access lists on my ASA 5510.

If I did:

(config)#object-group network ftp_servers

(config-network)#network-object host 10.1.1.14
(config-network)#network-object host myFTPserver

should the network object be a PUBLIC/EXTERNAL address? Because if the access list normally references the external address, using the object group within the list would require this yes?


0
Comment
Question by:AsenathWaite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24795093
no,

according to the example you possibly followed on

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

it mentions

config-network)#network-object 10.1.1.32 255.255.255.224  // " -Which is a private internal address"
(config-network)#exit

(config)#access-list 101 permit ip any object-group ftp_servers

If this list consists only of FTP servers, this specific example applies.

(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp - using the ACL entry, you can allow user from the external net inside you internal net

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24795153
Yes, but if that FTP server is also statically natted

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

the external hosts would connect to this machine at its public address.

So how can the object group reference work if it is comprised of internal addresses?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24796757
Hi,

sure, port fowarding

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22565747.html

how many ftp servers are you going to run in your lan?

Jfer
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AsenathWaite
ID: 24797201
port forwarding isn't the issue. The issue is between NAT and the object group.

In other words, the FTP servers that are listed in the object group--should the ip address in the group be public or private?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24799260
ah,

i understand what you are trying to do now

please read the last part of p.152

http://books.google.com/books?id=8V344jtobEEC&pg=PA146&lpg=PA146&dq=ftp+object+group&source=bl&ots=h6M_kIbsaX&sig=A9zmvr1CEo-Relol8yHpKZq0DH4&hl=en&ei=RbhTSo6VAomoNtqx_eQI&sa=X&oi=book_result&ct=result&resnum=10 

p.152 last entries

1. make a group called ftp servers, as you did
2. specify the hosts of the group, which you started
3. make an ACL entry for the group,to permit or deny the traffic desired

this is all you can do with this

you have to port forward, like you pasted in the example

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

for all ftp servers, you cannot just bunch them up in a group, and expect this to be accomplished, by making one route to a group-name, although, that would be ingenious

The FTP servers will need a both private and public ips mappings, since you are using NAT

so i cannot believe, appending a public ip to a group will solve anything, seeing as there are more than one ip address that needs mapping

the grouping you are using, is for ACL rules, not the actual individual mappings, which you require

are you trying to accomplish Load Balancing by any chance?

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24808370
so let's say I have three FTP servers (192.168.0.2-4)

I create three static nat statements

nat (inside,outside) tcp 65.200.200.1 21 192.168.0.2 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.2 21 192.168.0.3 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.3 21 192.168.0.4 21 netmask 255.255.255.255

then I creat the object group

(config)#object-group network ftp_servers
(config-network)#network-object host 65.200.200.2
(config-network)#network-object host 65.200.200.3
(config-network)#network-object host 65.200.200.4


and then apply the ACL using the above list? Or should that list contain the private addresses?
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 50 total points
ID: 24808967
yes

apply the acl to the group name

that way, you manage efficiently access changes to the ftp group

Jfer
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question