Solved

Cleaning up Port Forwarding Rules

Posted on 2014-02-25
1
619 Views
Last Modified: 2014-02-26
I have a Cisco 5525-X firewall and I setup a number of port forwarding rules for an ISPConfig server.

What is the best practice when it comes to forwarding a number of random ports on a Cisco firewall? Is there a clean way to do it?

Here is my port forwarding configuration currently:
object network objISPConfig110
 host 172.23.25.15
object network objISPConfig143
 host 172.23.25.15
object network objISPConfig443
 host 172.23.25.15
object network objISPConfig587
 host 172.23.25.15
object network objISPConfig993
 host 172.23.25.15
object network objISPConfig995
 host 172.23.25.15
object network objISPConfig2525
 host 172.23.25.15
object network objISPConfig8080
 host 172.23.25.15
object network objISPConfig22
 host 172.23.25.15
object network objISPConfig53
 host 172.23.25.15
object network objISPConfig465
 host 172.23.25.15
object network objISPConfig20
 host 172.23.25.15
object network objISPConfig21
 host 172.23.25.15
object network objISPConfig25
 host 172.23.25.15
object network objISPConfig80
 host 172.23.25.15

access-list outside_access_in extended permit tcp any object objISPConfig20 eq ftp-data
access-list outside_access_in extended permit tcp any object objISPConfig21 eq ftp
access-list outside_access_in extended permit tcp any object objISPConfig25 eq smtp
access-list outside_access_in extended permit tcp any object objISPConfig80 eq www
access-list outside_access_in extended permit tcp any object objISPConfig110 eq pop3
access-list outside_access_in extended permit tcp any object objISPConfig143 eq imap4
access-list outside_access_in extended permit tcp any object objISPConfig587 eq 587
access-list outside_access_in extended permit tcp any object objISPConfig993 eq 993
access-list outside_access_in extended permit tcp any object objISPConfig995 eq 995
access-list outside_access_in extended permit tcp any object objISPConfig2525 eq 2525
access-list outside_access_in extended permit tcp any object objISPConfig8080 eq 8080
access-list outside_access_in extended permit tcp any object objISPConfig22 eq ssh
access-list outside_access_in extended permit tcp any object objISPConfig53 eq domain
access-list outside_access_in extended permit tcp any object objISPConfig465 eq 465
access-list outside_access_in extended permit tcp any object objISPConfig443 eq https
access-list outside_access_in extended permit tcp any object objISPConfig25 eq smtp
access-list outside_access_in extended permit tcp any object objISPConfig80 eq www
access-list outside_access_in extended permit tcp any object objISPConfig20 eq ftp-data
access-list outside_access_in extended permit tcp any object objISPConfig21 eq ftp

object network objISPConfig110
 nat (Internal,External) static 1.1.1.13 service tcp pop3 pop3
object network objISPConfig143
 nat (Internal,External) static 1.1.1.13 service tcp imap4 imap4
object network objISPConfig443
 nat (Internal,External) static 1.1.1.13 service tcp https https
object network objISPConfig587
 nat (Internal,External) static 1.1.1.13 service tcp 587 587
object network objISPConfig993
 nat (Internal,External) static 1.1.1.13 service tcp 993 993
object network objISPConfig995
 nat (Internal,External) static 1.1.1.13 service tcp 995 995
object network objISPConfig2525
 nat (Internal,External) static 1.1.1.13 service tcp 2525 2525
object network objISPConfig8080
 nat (Internal,External) static 1.1.1.13 service tcp 8080 8080
object network objISPConfig22
 nat (Internal,External) static 1.1.1.13 service tcp ssh ssh
object network objISPConfig53
 nat (Internal,External) static 1.1.1.13 service tcp domain domain
object network objISPConfig465
 nat (Internal,External) static 1.1.1.13 service tcp 465 465
object network objISPConfig20
 nat (Internal,External) static 1.1.1.13 service tcp ftp-data ftp-data
object network objISPConfig21
 nat (Internal,External) static 1.1.1.13 service tcp ftp ftp
object network objISPConfig25
 nat (Internal,External) static 1.1.1.13 service tcp smtp smtp
object network objISPConfig80
 nat (Internal,External) static 1.1.1.13 service tcp www www
0
Comment
Question by:Adeste
1 Comment
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39885757
I don't know of a way to make it any cleaner, outside of the ACL itself. You could make an object-group for all the services, and then have a single ACL line to look at. Overall the config will be the same number of lines, but the ACL you look at will be far shorter.

The alternate would be to give the server a 1-to-1 NAT, and use the ACL to control port access instead of a combination of acl and nat. This would require that you have a single public IP that you can dedicate to this machine.

object network objISPConfig
 host 172.23.25.15

object-group service objISPConfig-EXTSERVICES
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq smtp
service-object tcp destination eq www
service-object tcp destination eq pop3
service-object tcp destination eq imap4
service-object tcp destination eq 587
service-object tcp destination eq 993
service-object tcp destination eq 995
service-object tcp destination eq 2525
service-object tcp destination eq 8080
service-object tcp destination eq ssh
service-object tcp destination eq domain
service-object tcp destination eq 465
service-object tcp destination eq https

access-list outside_access_in extended permit object-group objISPConfig-EXTSERVICES any object objISPConfig
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vlan question 12 63
Cisco ASA 5505 ios upgrade 6 41
cisco 2911 8 34
Connecting two physical networks that reside in the same building 6 36
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now