Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

Object NAT with multiple ports needed?

I have a question about Cisco Object NAT on iOS 8.3+ as it relates to machines needing more than one port PAT'd from outside to inside.  Example being an Exchange box, which needs both 25 and 443.  Object NAT only allows you to PAT one port per object.  My workaround for this is to just create multiple objects... "Exchange-smtp" and "Exchange-https" and then setup the PAT rules on each object for the respective ports, but this seems clunky. Is there a better/best practice way to set this up so that I don't need multiple objects per internal server?
0
valheru_m
Asked:
valheru_m
  • 5
  • 2
  • 2
2 Solutions
 
mikebernhardtCommented:
If you have multiple public IP addresses available, you can set up static NAT and all ports on a particular public IP will be translated to the Exchange server. If not, the way you described is the only option.
0
 
insidetechCommented:
You are doing it exactly as it is designed. This offers controls on what is allowed to enter your server.
"open" public IP to the server w/o any port filtering is never a good idea.
0
 
valheru_mAuthor Commented:
Insidetech -

I'm not looking to fully open a public IP to an inside server, of course I agree...bad idea. I was more looking for a "cleaner" way to NAT multiple necessary ports to an inside box without having to create a separate object per port. If I want a box to have ports 25, 443, 587, and 993 open, it seems very messy to have 4 objects for the same server, and I would rather find some way to say "Object X NATs these 4 ports" instead of Having to create "Object X, 25", "Object X, 443", "Object X, 587", and "Object X, 993".
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
insidetechCommented:
I understand, my comment was in reference to other suggestion.
Yes, you can create a custom service group and have all of your ports in one.
0
 
insidetechCommented:
And, you can also delimitate the ports with a comma.
In your access rules double click on your service and add ports manually separated by comma's.
0
 
valheru_mAuthor Commented:
Insidetech,

That works for access rules, but doesn't seem to work for NAT.  I created a custom service group with the ports I wanted, but in the NAT config for the object that group is not an option to select.  It wants a single TCP/UDP port and seems like nothing else.
0
 
insidetechCommented:
Grrrrr.... forget what I said.
In NAT you can do only 1:1 port mapping. I had a senior moment thinking about Access rules.
0
 
insidetechCommented:
For what it is worth....
If you ever want to upgrade to a much better and smarter FW, get Palo Alto Networks box and you will be able to map port ranges in a single NAT policy.
0
 
mikebernhardtCommented:
Again, you can set up a static NAT if you have the IP available. This doesn't mean that you just let everyone through, but that's a security issue, not a NAT issue. The 2 should not be considered interchangeable. You need to have firewall rules or access list to limit what ports are actually available.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now