• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 637
  • Last Modified:

Cleaning up Port Forwarding Rules

I have a Cisco 5525-X firewall and I setup a number of port forwarding rules for an ISPConfig server.

What is the best practice when it comes to forwarding a number of random ports on a Cisco firewall? Is there a clean way to do it?

Here is my port forwarding configuration currently:
object network objISPConfig110
 host 172.23.25.15
object network objISPConfig143
 host 172.23.25.15
object network objISPConfig443
 host 172.23.25.15
object network objISPConfig587
 host 172.23.25.15
object network objISPConfig993
 host 172.23.25.15
object network objISPConfig995
 host 172.23.25.15
object network objISPConfig2525
 host 172.23.25.15
object network objISPConfig8080
 host 172.23.25.15
object network objISPConfig22
 host 172.23.25.15
object network objISPConfig53
 host 172.23.25.15
object network objISPConfig465
 host 172.23.25.15
object network objISPConfig20
 host 172.23.25.15
object network objISPConfig21
 host 172.23.25.15
object network objISPConfig25
 host 172.23.25.15
object network objISPConfig80
 host 172.23.25.15

access-list outside_access_in extended permit tcp any object objISPConfig20 eq ftp-data
access-list outside_access_in extended permit tcp any object objISPConfig21 eq ftp
access-list outside_access_in extended permit tcp any object objISPConfig25 eq smtp
access-list outside_access_in extended permit tcp any object objISPConfig80 eq www
access-list outside_access_in extended permit tcp any object objISPConfig110 eq pop3
access-list outside_access_in extended permit tcp any object objISPConfig143 eq imap4
access-list outside_access_in extended permit tcp any object objISPConfig587 eq 587
access-list outside_access_in extended permit tcp any object objISPConfig993 eq 993
access-list outside_access_in extended permit tcp any object objISPConfig995 eq 995
access-list outside_access_in extended permit tcp any object objISPConfig2525 eq 2525
access-list outside_access_in extended permit tcp any object objISPConfig8080 eq 8080
access-list outside_access_in extended permit tcp any object objISPConfig22 eq ssh
access-list outside_access_in extended permit tcp any object objISPConfig53 eq domain
access-list outside_access_in extended permit tcp any object objISPConfig465 eq 465
access-list outside_access_in extended permit tcp any object objISPConfig443 eq https
access-list outside_access_in extended permit tcp any object objISPConfig25 eq smtp
access-list outside_access_in extended permit tcp any object objISPConfig80 eq www
access-list outside_access_in extended permit tcp any object objISPConfig20 eq ftp-data
access-list outside_access_in extended permit tcp any object objISPConfig21 eq ftp

object network objISPConfig110
 nat (Internal,External) static 1.1.1.13 service tcp pop3 pop3
object network objISPConfig143
 nat (Internal,External) static 1.1.1.13 service tcp imap4 imap4
object network objISPConfig443
 nat (Internal,External) static 1.1.1.13 service tcp https https
object network objISPConfig587
 nat (Internal,External) static 1.1.1.13 service tcp 587 587
object network objISPConfig993
 nat (Internal,External) static 1.1.1.13 service tcp 993 993
object network objISPConfig995
 nat (Internal,External) static 1.1.1.13 service tcp 995 995
object network objISPConfig2525
 nat (Internal,External) static 1.1.1.13 service tcp 2525 2525
object network objISPConfig8080
 nat (Internal,External) static 1.1.1.13 service tcp 8080 8080
object network objISPConfig22
 nat (Internal,External) static 1.1.1.13 service tcp ssh ssh
object network objISPConfig53
 nat (Internal,External) static 1.1.1.13 service tcp domain domain
object network objISPConfig465
 nat (Internal,External) static 1.1.1.13 service tcp 465 465
object network objISPConfig20
 nat (Internal,External) static 1.1.1.13 service tcp ftp-data ftp-data
object network objISPConfig21
 nat (Internal,External) static 1.1.1.13 service tcp ftp ftp
object network objISPConfig25
 nat (Internal,External) static 1.1.1.13 service tcp smtp smtp
object network objISPConfig80
 nat (Internal,External) static 1.1.1.13 service tcp www www
0
Adeste
Asked:
Adeste
1 Solution
 
rauenpcCommented:
I don't know of a way to make it any cleaner, outside of the ACL itself. You could make an object-group for all the services, and then have a single ACL line to look at. Overall the config will be the same number of lines, but the ACL you look at will be far shorter.

The alternate would be to give the server a 1-to-1 NAT, and use the ACL to control port access instead of a combination of acl and nat. This would require that you have a single public IP that you can dedicate to this machine.

object network objISPConfig
 host 172.23.25.15

object-group service objISPConfig-EXTSERVICES
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq smtp
service-object tcp destination eq www
service-object tcp destination eq pop3
service-object tcp destination eq imap4
service-object tcp destination eq 587
service-object tcp destination eq 993
service-object tcp destination eq 995
service-object tcp destination eq 2525
service-object tcp destination eq 8080
service-object tcp destination eq ssh
service-object tcp destination eq domain
service-object tcp destination eq 465
service-object tcp destination eq https

access-list outside_access_in extended permit object-group objISPConfig-EXTSERVICES any object objISPConfig
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now