Solved

Object NAT with multiple ports needed?

Posted on 2014-02-20
9
435 Views
Last Modified: 2014-02-21
I have a question about Cisco Object NAT on iOS 8.3+ as it relates to machines needing more than one port PAT'd from outside to inside.  Example being an Exchange box, which needs both 25 and 443.  Object NAT only allows you to PAT one port per object.  My workaround for this is to just create multiple objects... "Exchange-smtp" and "Exchange-https" and then setup the PAT rules on each object for the respective ports, but this seems clunky. Is there a better/best practice way to set this up so that I don't need multiple objects per internal server?
0
Comment
Question by:valheru_m
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 39874216
If you have multiple public IP addresses available, you can set up static NAT and all ports on a particular public IP will be translated to the Exchange server. If not, the way you described is the only option.
0
 
LVL 6

Expert Comment

by:insidetech
ID: 39874264
You are doing it exactly as it is designed. This offers controls on what is allowed to enter your server.
"open" public IP to the server w/o any port filtering is never a good idea.
0
 
LVL 5

Author Comment

by:valheru_m
ID: 39874287
Insidetech -

I'm not looking to fully open a public IP to an inside server, of course I agree...bad idea. I was more looking for a "cleaner" way to NAT multiple necessary ports to an inside box without having to create a separate object per port. If I want a box to have ports 25, 443, 587, and 993 open, it seems very messy to have 4 objects for the same server, and I would rather find some way to say "Object X NATs these 4 ports" instead of Having to create "Object X, 25", "Object X, 443", "Object X, 587", and "Object X, 993".
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:insidetech
ID: 39874323
I understand, my comment was in reference to other suggestion.
Yes, you can create a custom service group and have all of your ports in one.
0
 
LVL 6

Expert Comment

by:insidetech
ID: 39874352
And, you can also delimitate the ports with a comma.
In your access rules double click on your service and add ports manually separated by comma's.
0
 
LVL 5

Author Comment

by:valheru_m
ID: 39874357
Insidetech,

That works for access rules, but doesn't seem to work for NAT.  I created a custom service group with the ports I wanted, but in the NAT config for the object that group is not an option to select.  It wants a single TCP/UDP port and seems like nothing else.
0
 
LVL 6

Expert Comment

by:insidetech
ID: 39874365
Grrrrr.... forget what I said.
In NAT you can do only 1:1 port mapping. I had a senior moment thinking about Access rules.
0
 
LVL 6

Expert Comment

by:insidetech
ID: 39874400
For what it is worth....
If you ever want to upgrade to a much better and smarter FW, get Palo Alto Networks box and you will be able to map port ranges in a single NAT policy.
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 500 total points
ID: 39874549
Again, you can set up a static NAT if you have the IP available. This doesn't mean that you just let everyone through, but that's a security issue, not a NAT issue. The 2 should not be considered interchangeable. You need to have firewall rules or access list to limit what ports are actually available.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Resource timeout across a VPN 9 70
Error after upgrade of 3850s 15 91
upgrade Cisco Aironet AP 3 42
Cisco ASA 5510 Question 2 28
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question