Object Groups and NAT in the PIX/ASA

I want to use a network object group for access lists on my ASA 5510.

If I did:

(config)#object-group network ftp_servers

(config-network)#network-object host 10.1.1.14
(config-network)#network-object host myFTPserver

should the network object be a PUBLIC/EXTERNAL address? Because if the access list normally references the external address, using the object group within the list would require this yes?


AsenathWaiteAsked:
Who is Participating?
 
jfer0x01Commented:
yes

apply the acl to the group name

that way, you manage efficiently access changes to the ftp group

Jfer
0
 
jfer0x01Commented:
no,

according to the example you possibly followed on

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

it mentions

config-network)#network-object 10.1.1.32 255.255.255.224  // " -Which is a private internal address"
(config-network)#exit

(config)#access-list 101 permit ip any object-group ftp_servers

If this list consists only of FTP servers, this specific example applies.

(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp - using the ACL entry, you can allow user from the external net inside you internal net

Jfer
0
 
AsenathWaiteAuthor Commented:
Yes, but if that FTP server is also statically natted

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

the external hosts would connect to this machine at its public address.

So how can the object group reference work if it is comprised of internal addresses?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
jfer0x01Commented:
Hi,

sure, port fowarding

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22565747.html

how many ftp servers are you going to run in your lan?

Jfer
0
 
AsenathWaiteAuthor Commented:
port forwarding isn't the issue. The issue is between NAT and the object group.

In other words, the FTP servers that are listed in the object group--should the ip address in the group be public or private?
0
 
jfer0x01Commented:
ah,

i understand what you are trying to do now

please read the last part of p.152

http://books.google.com/books?id=8V344jtobEEC&pg=PA146&lpg=PA146&dq=ftp+object+group&source=bl&ots=h6M_kIbsaX&sig=A9zmvr1CEo-Relol8yHpKZq0DH4&hl=en&ei=RbhTSo6VAomoNtqx_eQI&sa=X&oi=book_result&ct=result&resnum=10 

p.152 last entries

1. make a group called ftp servers, as you did
2. specify the hosts of the group, which you started
3. make an ACL entry for the group,to permit or deny the traffic desired

this is all you can do with this

you have to port forward, like you pasted in the example

static (inside,outside) tcp 65.200.200.1 21 10.1.1.32 21 netmask 255.255.255.255

for all ftp servers, you cannot just bunch them up in a group, and expect this to be accomplished, by making one route to a group-name, although, that would be ingenious

The FTP servers will need a both private and public ips mappings, since you are using NAT

so i cannot believe, appending a public ip to a group will solve anything, seeing as there are more than one ip address that needs mapping

the grouping you are using, is for ACL rules, not the actual individual mappings, which you require

are you trying to accomplish Load Balancing by any chance?

Jfer
0
 
AsenathWaiteAuthor Commented:
so let's say I have three FTP servers (192.168.0.2-4)

I create three static nat statements

nat (inside,outside) tcp 65.200.200.1 21 192.168.0.2 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.2 21 192.168.0.3 21 netmask 255.255.255.255
nat (inside,outside) tcp 65.200.200.3 21 192.168.0.4 21 netmask 255.255.255.255

then I creat the object group

(config)#object-group network ftp_servers
(config-network)#network-object host 65.200.200.2
(config-network)#network-object host 65.200.200.3
(config-network)#network-object host 65.200.200.4


and then apply the ACL using the above list? Or should that list contain the private addresses?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.