Solved

ASA Objects for Non Standard Ports

Posted on 2016-08-14
42
86 Views
Last Modified: 2016-08-23
Hello

Please need your suggestions for creating the service object or object- groups for non standard tcp/udp port on Cisco ASA Firewall

What is the best standard/ naming convention to use for creating such objects

Many Thanks in Advance
0
Comment
Question by:cciedreamer
  • 20
  • 17
  • 4
  • +1
42 Comments
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
You can create objects for each individual object and then put them into an object-group or you can just create an object-group and define the ports there. Can you give us specific example of ports you need created? Would they all forward to the same internal host?

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Please also specify if they are TCP, UDP or both.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks Michael

For example TCP ports like 9001,9282,9277 etc

Some it is required for same internal hosts and sometime not

What will be the best standard method and naming convention ?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
I always prefix all object groups with OBJ- and I always suffix TCP/UDP port groups with -UDP and -TCP, I always use UPPERCASE for user defined things (class-maps, ACL's, Policies, and Object Groups) because it makes them easy to locate in a config when you are trying to troubleshoot.  Other than that its pretty much personal preference.

I've spent many hours making firewall configs immaculate, then a client with 10 minutes in the ASDM makes it look like a bag of spanners!!!

Pete
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 500 total points
Comment Utility
Along the same lines of Pete, I do the same. In this case, let's assume that the internal hosts are 192.168.0.200 (SERVER1) and 192.168.0.201 (SERVER2). I would do something like this:

object network HOST_SERVER1_TCP9001
 host 192.168.0.200
!
object network HOST_SERVER1_TCP9282
 host 192.168.0.200
!
object network HOST_SERVER2_TCP9277
 host 192.168.0.201

The reason we create separate objects (even though the host IPs are the same) is that you can only assign one NAT to each object. In the case where you have several ports where doing it this way seems unreasonable, you can create service objects and object-groups to cover the services themselves, but you'd still have to create separate groupings based on how many different internal hosts you're configuring.

Hope this helps.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks Michael and Pete

How about this

object network OBJ-10.1.1.1
host 10.1.1.1
description Server1

object network OBJ-10.1.1.1-TCP9090
host 10.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 9090 9090

object network OBJ-10.1.2.1
host 10.1.2.1
description Server2

object network OBJ-10.1.2.1-TCP9277
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9277 9277

object network OBJ-10.1.2.1- TCP9299
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9299 9299


Here I have created network objects
Now what is the best way to create service object foe both servers so I can put them in ACL for inbound connection

Please advise
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 500 total points
Comment Utility
For the ACL just create an object-group.

object-group network OBJ-SERVERS
 network-object object OBJ-10.1.1.1
 network-object object OBJ-10.1.2.1

But you're only allowing certain services to certain hosts, so I would just create separate ACLs for this, especially if you it's only a few services.

access-list outbound_access_in extended permit tcp any object OBJ-10.1.1.1 eq 9090
access-list outbound_access_in extended permit tcp any object OBJ-10.1.2.1 eq 9277
access-list outbound_access_in extended permit tcp any object OBJ-10.1.2.1 eq 9299
!
access-group outbound_access_in in interface outside

I'm assuming that you need to allow any external IP to connect, but if not, scope it to what IP you need or put that IP (or IP's) into their own object (or object-group if multiple) to make things cleaner.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
For example lets assume if I have a server that should be accessible from Internet and this server has multiple ports mapped to a single public IP. These ports 9991,9992,9993,443,8000,4000-5000.
What should be the syntax in such case.
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 500 total points
Comment Utility
If you want both TCP and UDP, see below. I recommend when you have large port ranges like this that you have a 1:1 NAT for that host on a dedicated public IP from your block of available usables. For example, if you have 1.1.1.1 as your primary assigned Outside interface, but you have 1.1.1.2 - 1.1.1.5 also available, I would do the following:

object network OBJ-10.1.1.1
 host 10.1.1.1
 nat (INT_IWX_DATA,outside) static 1.1.1.2
!
object-group service OBJ-10.1.1.1_SERVICES tcp-udp
 port-object range 9991 9993
 port-object eq 443
 port-object eq 8000
 port-object range 4000 5000
!
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
!
access-list outside_access_in extended permit object-group TCPUDP any object OBJ-10.1.1.1 object-group OBJ-10.1.1.1_SERVICES

MO
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
@Michael Ortega

"The reason we create separate objects (even though the host IPs are the same) is that you can only assign one NAT to each object."

You can only assign one NAT to each object, but you can have multiple PAT, and as adding more than one NAT for an IP address would make no sense, there is no requirement to have the port in the network object name, just use the port in the service name
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
ArneLovius,

I'm not sure anyone mentioned anything about naming requirements for objects. It was asked what the recommendations were for creating objects. The naming convention I use when I have multiple services (multiple, but a few) I enter the port number in the object name. It's just a reference. I can call it whatever I want, of course.

What we're talking about is PAT. You can only assign on PAT to an each object, but if you believe this is untrue please advise us all on how you do it. Creating multiple PAT statements within an object simply overwrites the previous one. That's why I create an object for each service and then nest the PAT statement relative to that particular service in each appropriate object.

Please provide a working sample of what you're referring to. I've never seen it done that way.

Here's a reference for you Arne. This is how I've always done it since 8.3: https://supportforums.cisco.com/discussion/10962221/asa-83-single-host-multiple-pat

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Arne,

Perhaps you were just correcting my use of the acronym NAT, when I really meant PAT. If that's the case, thanks for correcting me.

Either way, you can only assign one PAT to each object, which is what I meant to say originally.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi arne lovious

Can you please give your examples

Thanks
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
@Michael Ortega, I was quoting your words, and with your last post "you can only assign one PAT to each object" I would strongly disagree.

Multiple PAT statements per network object as below

Create the network objects

object network host.domain.com
 host 1.2.3.4
object network host.local
 host 192.168.1.1

Create services

object service tcp-src-3840
 service tcp source eq 3840
object service tcp-src-4444
 service tcp source eq 4444
object service tcp-src-18080
 service tcp source eq 18080

Use the network objects and service objects in PAT statements

nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks Arne
Good Suggestion as well

How about the creating service objects for multiple ports?
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Wow. I guess I knew you could do it that way as well, but why the heck would you want to? It's more work. So in my example using network/host objects you create 3 objects and 3 PATs nested in the respective objects. In your example you create a 2 host object objects, 3 service objects and 3 PATs. I guess I'm glad I do it the way I do.

@cciedreamer, if you're forwarding lots of services and/or port ranges I suggest you use my example with the object-group(s).

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
@Arne

In response to your response regarding my response (LOL),

"I would strongly disagree" about my statement regarding "you can only assign one PAT to each object."

You strongly disagreed, but in your example it's exactly what you did. LOL.

Create services

object service tcp-src-3840
 service tcp source eq 3840
object service tcp-src-4444
 service tcp source eq 4444
object service tcp-src-18080
 service tcp source eq 18080

Use the network objects and service objects in PAT statements

nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880


You created 3 service objects and 3 PATs, one for each object.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi
What about the ACLs
Because I dont want to creat acl for each service that is why i was asking service object groups
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
@cciedreamer,

Please see my comment about service groups above. I gave you the configuration you need to make this work with the least amount of configuration.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
From my comment on 2016-08-15 at 16:34:07:

If you want both TCP and UDP, see below. I recommend when you have large port ranges like this that you have a 1:1 NAT for that host on a dedicated public IP from your block of available usables. For example, if you have 1.1.1.1 as your primary assigned Outside interface, but you have 1.1.1.2 - 1.1.1.5 also available, I would do the following:

object network OBJ-10.1.1.1
 host 10.1.1.1
 nat (INT_IWX_DATA,outside) static 1.1.1.2
!
object-group service OBJ-10.1.1.1_SERVICES tcp-udp
 port-object range 9991 9993
 port-object eq 443
 port-object eq 8000
 port-object range 4000 5000
!
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
!
access-list outside_access_in extended permit object-group TCPUDP any object OBJ-10.1.1.1 object-group OBJ-10.1.1.1_SERVICES


MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks Michael that makes sense.

I have another example where I have internal host and I want to allow this host to access external servers on different ports for example

10.1.1.1 ( Host1) -- 3.3.3.3 ( Exhost) - TCP 19018,19019
10.1.1.1 ( Host1) -- 4.4.4.4 ( Exhost) - TCP 4900,4600,5040 UDP 9400

Can you please advise how configure the rules in more efficient way.

Thanks
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 500 total points
Comment Utility
object network HOST_SERVER1
 host 10.1.1.1
!
object network HOST_SERVER1_TCP19018
 host 10.1.1.1
 nat (inside,outside) static 3.3.3.3 service tcp 19018 19018
!
object network HOST_SERVER1_TCP19019
 host 10.1.1.1
 nat (inside,outside) static 3.3.3.3 service tcp 19019 19019
!
object network HOST_SERVER1_TCP4900
 host 10.1.1.1
 nat (inside,outside) static 4.4.4.4 service tcp 4900 4900
!
object network HOST_SERVER1_TCP4600
 host 10.1.1.1
 nat (inside,outside) static 4.4.4.4 service tcp 4600 4600
!
object network HOST_SERVER1_TCP5040
 host 10.1.1.1
 nat (inside,outside) static 4.4.4.4 service tcp 5040 5040
!
object network HOST_SERVER1_UDP9400
 host 10.1.1.1
 nat (inside,outside) static 4.4.4.4 service udp 9400 9400
!
object-group service GROUP_SERVER1_SERVICES_TCP tcp
 port-object range 19018 19019
 port-object eq 4900
 port-object eq 4600
 port-object eq 5040
!
access-list outside_access_in extended permit tcp any object HOST_SERVER1 object-group GROUP_SERVER1_SERVICES_TCP
access-list outside_access_in extended permit udp any object HOST_SERVER1 eq 9400
!
access-group outside_access_in in interface outside

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
@ArneLovius,

I'm still very anxious to see how you're able to apply multiple PAT statements to a single object. Please share when you get a chance. Your last example showed that you were applying a single PAT to a single service object, but I'm interested in how you stack multiple PATs on a single object. That would save me tons of time.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi Michael
I know this question will out of this topic but just need some quick suggestions


We have some 3rd party support companies that need access into the network to a specific server and I would like to lock down the user to specific IPs/ports.

For example, three employees from company need access to different servers.

User1 needs to reach Server 1,2 and 3
User 2 needs needs to reach Server 4,5
User 1 should not reach Server 4,5

Appreciating your help
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
@MichaelOrtega, which object are you referring to, the network object, or the service object,  or do you mean a configuration line, which is not an "object" ?
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
@cciedreamer,

I recommend you start a new question for that.

@ArneLovius,

We can probably drop the "one on one" on objects and PAT now. We can agree that there is more than one way to get it done. Fair? cciedreamer has the information he needs relative to this question.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Another points which came to my mind

I have internal host with following configuration

object network OBJ_10.10.20.7
host 10.10.20.7
des MAIL SERVER
nat (inside,outside) dymamic interface

object network OBJ_10.10.20.7_TCP443
host 10.10.20.7
des MAIL SERVER PAT /TCP 443
nat (inside,outside) static 1.1.1.1 service tcp 443 443

Will these configuration makes difference when accessing mail server from outside.
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
@cciedreamer,

No need to have the dynamic NAT nested in your mail server object. Presumably, it's using the dynamic NAT that's already in place for the entire subnet.

The static PAT you have just means that your users will connect to 1.1.1.1 from the outside to access services on 443 (e.g. OWA, ECP, etc.)

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks actually I haven't configured Dynamic NAT on Subnet. I prefer to for individual network objects.
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Without dynamic NAT in place how are all your devices behind the same network communicating with the outside world/Internet?

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Any device requires going to internet I do the dynamic object NAT for each device

Thanks
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
I see. Makes sense, although you could do that with ACLs instead. Might be cleaner? You could create an object-group of all the devices that aren't permitted and then write one ACLs to deny. That way you could have one ACL only to define the deny and one NAT statement only in place. The only thing you would have to update on the firewall going forward is what new IP or object you want to deny and just add them to the object-group you created.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Of course, you could employ web security tools to do this for you instead.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Yes that is great advice as well.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi
I just receive a new request

Allow 10.1.100.100 ( inside) to access 172.16.1.100 (dmz)  on ports 7000,7005,7008
Allow 10.1.100.101 (inside) to access 172.16.1.100 (dmz) on ports 7000,7005,7008

So what is your advice for service and network objects and the communication should be bi-directional
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
Unless the inside is at a lower security level then the DMZ, or you have a blanket deny from inside to DMZ, there is no requirement for ACL to allow traffic from inside to DMZ.

I think the original question has been comprehensively answered...
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Inside has a 100 and DMZ has 50 security level
I have default deny rule on inside and dmz

Yes it is answered but I will appreciate if you guys can suggest on my last comment
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
@cciedreamer,

It's important that you stick to the original scope of your question, allow the experts to help and answer and then close the question out. If you have additional questions, e.g. additional scope items, you should start a new question.

MO
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi Sure
Very last question on in this threa which is I guess related to the original question

Please can you suggest something on this comment

https://www.experts-exchange.com/questions/28963313/ASA-Objects-for-Non-Standard-Ports.html#a41762898
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
@cciedreamer,

This is a separate question and should be opened up as a new one.

MO
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now