[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Object Groups and NAT in the PIX/ASA

Posted on 2009-07-07
7
Medium Priority
?
400 Views
Last Modified: 2012-08-13
I want to use a network object group for access lists on my ASA 5510.

If I did:

(config)#object-group network ftp_servers

(config-network)#network-object host 10.1.1.14
(config-network)#network-object host myFTPserver

should the network object be a PUBLIC/EXTERNAL address? Because if the access list normally references the external address, using the object group within the list would require this yes?


0
Comment
Question by:AsenathWaite
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24795093
no,

according to the example you possibly followed on

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

it mentions

config-network)#network-object 10.1.1.32 255.255.255.224  // " -Which is a private internal address"
(config-network)#exit

(config)#access-list 101 permit ip any object-group ftp_servers

If this list consists only of FTP servers, this specific example applies.

(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp - using the ACL entry, you can allow user from the external net inside you internal net

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24795153
Yes, but if that FTP server is also statically natted

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

the external hosts would connect to this machine at its public address.

So how can the object group reference work if it is comprised of internal addresses?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24796757
Hi,

sure, port fowarding

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22565747.html

how many ftp servers are you going to run in your lan?

Jfer
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 

Author Comment

by:AsenathWaite
ID: 24797201
port forwarding isn't the issue. The issue is between NAT and the object group.

In other words, the FTP servers that are listed in the object group--should the ip address in the group be public or private?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24799260
ah,

i understand what you are trying to do now

please read the last part of p.152

http://books.google.com/books?id=8V344jtobEEC&pg=PA146&lpg=PA146&dq=ftp+object+group&source=bl&ots=h6M_kIbsaX&sig=A9zmvr1CEo-Relol8yHpKZq0DH4&hl=en&ei=RbhTSo6VAomoNtqx_eQI&sa=X&oi=book_result&ct=result&resnum=10 

p.152 last entries

1. make a group called ftp servers, as you did
2. specify the hosts of the group, which you started
3. make an ACL entry for the group,to permit or deny the traffic desired

this is all you can do with this

you have to port forward, like you pasted in the example

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

for all ftp servers, you cannot just bunch them up in a group, and expect this to be accomplished, by making one route to a group-name, although, that would be ingenious

The FTP servers will need a both private and public ips mappings, since you are using NAT

so i cannot believe, appending a public ip to a group will solve anything, seeing as there are more than one ip address that needs mapping

the grouping you are using, is for ACL rules, not the actual individual mappings, which you require

are you trying to accomplish Load Balancing by any chance?

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24808370
so let's say I have three FTP servers (192.168.0.2-4)

I create three static nat statements

nat (inside,outside) tcp 65.200.200.1 21 192.168.0.2 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.2 21 192.168.0.3 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.3 21 192.168.0.4 21 netmask 255.255.255.255

then I creat the object group

(config)#object-group network ftp_servers
(config-network)#network-object host 65.200.200.2
(config-network)#network-object host 65.200.200.3
(config-network)#network-object host 65.200.200.4


and then apply the ACL using the above list? Or should that list contain the private addresses?
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 200 total points
ID: 24808967
yes

apply the acl to the group name

that way, you manage efficiently access changes to the ftp group

Jfer
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question