Solved

Cleaning up Port Forwarding Rules

Posted on 2014-02-25
1
626 Views
Last Modified: 2014-02-26
I have a Cisco 5525-X firewall and I setup a number of port forwarding rules for an ISPConfig server.

What is the best practice when it comes to forwarding a number of random ports on a Cisco firewall? Is there a clean way to do it?

Here is my port forwarding configuration currently:
object network objISPConfig110
 host 172.23.25.15
object network objISPConfig143
 host 172.23.25.15
object network objISPConfig443
 host 172.23.25.15
object network objISPConfig587
 host 172.23.25.15
object network objISPConfig993
 host 172.23.25.15
object network objISPConfig995
 host 172.23.25.15
object network objISPConfig2525
 host 172.23.25.15
object network objISPConfig8080
 host 172.23.25.15
object network objISPConfig22
 host 172.23.25.15
object network objISPConfig53
 host 172.23.25.15
object network objISPConfig465
 host 172.23.25.15
object network objISPConfig20
 host 172.23.25.15
object network objISPConfig21
 host 172.23.25.15
object network objISPConfig25
 host 172.23.25.15
object network objISPConfig80
 host 172.23.25.15

access-list outside_access_in extended permit tcp any object objISPConfig20 eq ftp-data
access-list outside_access_in extended permit tcp any object objISPConfig21 eq ftp
access-list outside_access_in extended permit tcp any object objISPConfig25 eq smtp
access-list outside_access_in extended permit tcp any object objISPConfig80 eq www
access-list outside_access_in extended permit tcp any object objISPConfig110 eq pop3
access-list outside_access_in extended permit tcp any object objISPConfig143 eq imap4
access-list outside_access_in extended permit tcp any object objISPConfig587 eq 587
access-list outside_access_in extended permit tcp any object objISPConfig993 eq 993
access-list outside_access_in extended permit tcp any object objISPConfig995 eq 995
access-list outside_access_in extended permit tcp any object objISPConfig2525 eq 2525
access-list outside_access_in extended permit tcp any object objISPConfig8080 eq 8080
access-list outside_access_in extended permit tcp any object objISPConfig22 eq ssh
access-list outside_access_in extended permit tcp any object objISPConfig53 eq domain
access-list outside_access_in extended permit tcp any object objISPConfig465 eq 465
access-list outside_access_in extended permit tcp any object objISPConfig443 eq https
access-list outside_access_in extended permit tcp any object objISPConfig25 eq smtp
access-list outside_access_in extended permit tcp any object objISPConfig80 eq www
access-list outside_access_in extended permit tcp any object objISPConfig20 eq ftp-data
access-list outside_access_in extended permit tcp any object objISPConfig21 eq ftp

object network objISPConfig110
 nat (Internal,External) static 1.1.1.13 service tcp pop3 pop3
object network objISPConfig143
 nat (Internal,External) static 1.1.1.13 service tcp imap4 imap4
object network objISPConfig443
 nat (Internal,External) static 1.1.1.13 service tcp https https
object network objISPConfig587
 nat (Internal,External) static 1.1.1.13 service tcp 587 587
object network objISPConfig993
 nat (Internal,External) static 1.1.1.13 service tcp 993 993
object network objISPConfig995
 nat (Internal,External) static 1.1.1.13 service tcp 995 995
object network objISPConfig2525
 nat (Internal,External) static 1.1.1.13 service tcp 2525 2525
object network objISPConfig8080
 nat (Internal,External) static 1.1.1.13 service tcp 8080 8080
object network objISPConfig22
 nat (Internal,External) static 1.1.1.13 service tcp ssh ssh
object network objISPConfig53
 nat (Internal,External) static 1.1.1.13 service tcp domain domain
object network objISPConfig465
 nat (Internal,External) static 1.1.1.13 service tcp 465 465
object network objISPConfig20
 nat (Internal,External) static 1.1.1.13 service tcp ftp-data ftp-data
object network objISPConfig21
 nat (Internal,External) static 1.1.1.13 service tcp ftp ftp
object network objISPConfig25
 nat (Internal,External) static 1.1.1.13 service tcp smtp smtp
object network objISPConfig80
 nat (Internal,External) static 1.1.1.13 service tcp www www
0
Comment
Question by:Adeste
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39885757
I don't know of a way to make it any cleaner, outside of the ACL itself. You could make an object-group for all the services, and then have a single ACL line to look at. Overall the config will be the same number of lines, but the ACL you look at will be far shorter.

The alternate would be to give the server a 1-to-1 NAT, and use the ACL to control port access instead of a combination of acl and nat. This would require that you have a single public IP that you can dedicate to this machine.

object network objISPConfig
 host 172.23.25.15

object-group service objISPConfig-EXTSERVICES
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq smtp
service-object tcp destination eq www
service-object tcp destination eq pop3
service-object tcp destination eq imap4
service-object tcp destination eq 587
service-object tcp destination eq 993
service-object tcp destination eq 995
service-object tcp destination eq 2525
service-object tcp destination eq 8080
service-object tcp destination eq ssh
service-object tcp destination eq domain
service-object tcp destination eq 465
service-object tcp destination eq https

access-list outside_access_in extended permit object-group objISPConfig-EXTSERVICES any object objISPConfig
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question