Solved

Object Groups and NAT in the PIX/ASA

Posted on 2009-07-07
7
390 Views
Last Modified: 2012-08-13
I want to use a network object group for access lists on my ASA 5510.

If I did:

(config)#object-group network ftp_servers

(config-network)#network-object host 10.1.1.14
(config-network)#network-object host myFTPserver

should the network object be a PUBLIC/EXTERNAL address? Because if the access list normally references the external address, using the object group within the list would require this yes?


0
Comment
Question by:AsenathWaite
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24795093
no,

according to the example you possibly followed on

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

it mentions

config-network)#network-object 10.1.1.32 255.255.255.224  // " -Which is a private internal address"
(config-network)#exit

(config)#access-list 101 permit ip any object-group ftp_servers

If this list consists only of FTP servers, this specific example applies.

(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp - using the ACL entry, you can allow user from the external net inside you internal net

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24795153
Yes, but if that FTP server is also statically natted

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

the external hosts would connect to this machine at its public address.

So how can the object group reference work if it is comprised of internal addresses?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24796757
Hi,

sure, port fowarding

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22565747.html

how many ftp servers are you going to run in your lan?

Jfer
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:AsenathWaite
ID: 24797201
port forwarding isn't the issue. The issue is between NAT and the object group.

In other words, the FTP servers that are listed in the object group--should the ip address in the group be public or private?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24799260
ah,

i understand what you are trying to do now

please read the last part of p.152

http://books.google.com/books?id=8V344jtobEEC&pg=PA146&lpg=PA146&dq=ftp+object+group&source=bl&ots=h6M_kIbsaX&sig=A9zmvr1CEo-Relol8yHpKZq0DH4&hl=en&ei=RbhTSo6VAomoNtqx_eQI&sa=X&oi=book_result&ct=result&resnum=10 

p.152 last entries

1. make a group called ftp servers, as you did
2. specify the hosts of the group, which you started
3. make an ACL entry for the group,to permit or deny the traffic desired

this is all you can do with this

you have to port forward, like you pasted in the example

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

for all ftp servers, you cannot just bunch them up in a group, and expect this to be accomplished, by making one route to a group-name, although, that would be ingenious

The FTP servers will need a both private and public ips mappings, since you are using NAT

so i cannot believe, appending a public ip to a group will solve anything, seeing as there are more than one ip address that needs mapping

the grouping you are using, is for ACL rules, not the actual individual mappings, which you require

are you trying to accomplish Load Balancing by any chance?

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24808370
so let's say I have three FTP servers (192.168.0.2-4)

I create three static nat statements

nat (inside,outside) tcp 65.200.200.1 21 192.168.0.2 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.2 21 192.168.0.3 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.3 21 192.168.0.4 21 netmask 255.255.255.255

then I creat the object group

(config)#object-group network ftp_servers
(config-network)#network-object host 65.200.200.2
(config-network)#network-object host 65.200.200.3
(config-network)#network-object host 65.200.200.4


and then apply the ACL using the above list? Or should that list contain the private addresses?
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 50 total points
ID: 24808967
yes

apply the acl to the group name

that way, you manage efficiently access changes to the ftp group

Jfer
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now