Avatar of Techrunner
Techrunner
 asked on

ASA Objects for Non Standard Ports

Hello

Please need your suggestions for creating the service object or object- groups for non standard tcp/udp port on Cisco ASA Firewall

What is the best standard/ naming convention to use for creating such objects

Many Thanks in Advance
CiscoHardware FirewallsNetwork Security

Avatar of undefined
Last Comment
Michael Ortega

8/22/2022 - Mon
Michael Ortega

You can create objects for each individual object and then put them into an object-group or you can just create an object-group and define the ports there. Can you give us specific example of ports you need created? Would they all forward to the same internal host?

MO
Michael Ortega

Please also specify if they are TCP, UDP or both.

MO
Techrunner

ASKER
Thanks Michael

For example TCP ports like 9001,9282,9277 etc

Some it is required for same internal hosts and sometime not

What will be the best standard method and naming convention ?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Pete Long

I always prefix all object groups with OBJ- and I always suffix TCP/UDP port groups with -UDP and -TCP, I always use UPPERCASE for user defined things (class-maps, ACL's, Policies, and Object Groups) because it makes them easy to locate in a config when you are trying to troubleshoot.  Other than that its pretty much personal preference.

I've spent many hours making firewall configs immaculate, then a client with 10 minutes in the ASDM makes it look like a bag of spanners!!!

Pete
SOLUTION
Michael Ortega

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Techrunner

ASKER
Thanks Michael and Pete

How about this

object network OBJ-10.1.1.1
host 10.1.1.1
description Server1

object network OBJ-10.1.1.1-TCP9090
host 10.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 9090 9090

object network OBJ-10.1.2.1
host 10.1.2.1
description Server2

object network OBJ-10.1.2.1-TCP9277
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9277 9277

object network OBJ-10.1.2.1- TCP9299
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9299 9299


Here I have created network objects
Now what is the best way to create service object foe both servers so I can put them in ACL for inbound connection

Please advise
SOLUTION
Michael Ortega

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Techrunner

ASKER
For example lets assume if I have a server that should be accessible from Internet and this server has multiple ports mapped to a single public IP. These ports 9991,9992,9993,443,8000,4000-5000.
What should be the syntax in such case.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Michael Ortega

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ArneLovius

@Michael Ortega

"The reason we create separate objects (even though the host IPs are the same) is that you can only assign one NAT to each object."

You can only assign one NAT to each object, but you can have multiple PAT, and as adding more than one NAT for an IP address would make no sense, there is no requirement to have the port in the network object name, just use the port in the service name
Michael Ortega

ArneLovius,

I'm not sure anyone mentioned anything about naming requirements for objects. It was asked what the recommendations were for creating objects. The naming convention I use when I have multiple services (multiple, but a few) I enter the port number in the object name. It's just a reference. I can call it whatever I want, of course.

What we're talking about is PAT. You can only assign on PAT to an each object, but if you believe this is untrue please advise us all on how you do it. Creating multiple PAT statements within an object simply overwrites the previous one. That's why I create an object for each service and then nest the PAT statement relative to that particular service in each appropriate object.

Please provide a working sample of what you're referring to. I've never seen it done that way.

Here's a reference for you Arne. This is how I've always done it since 8.3: https://supportforums.cisco.com/discussion/10962221/asa-83-single-host-multiple-pat

MO
Michael Ortega

Arne,

Perhaps you were just correcting my use of the acronym NAT, when I really meant PAT. If that's the case, thanks for correcting me.

Either way, you can only assign one PAT to each object, which is what I meant to say originally.

MO
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Techrunner

ASKER
Hi arne lovious

Can you please give your examples

Thanks
ArneLovius

@Michael Ortega, I was quoting your words, and with your last post "you can only assign one PAT to each object" I would strongly disagree.

Multiple PAT statements per network object as below

Create the network objects

object network host.domain.com
 host 1.2.3.4
object network host.local
 host 192.168.1.1

Create services

object service tcp-src-3840
 service tcp source eq 3840
object service tcp-src-4444
 service tcp source eq 4444
object service tcp-src-18080
 service tcp source eq 18080

Use the network objects and service objects in PAT statements

nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880
Techrunner

ASKER
Thanks Arne
Good Suggestion as well

How about the creating service objects for multiple ports?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Michael Ortega

Wow. I guess I knew you could do it that way as well, but why the heck would you want to? It's more work. So in my example using network/host objects you create 3 objects and 3 PATs nested in the respective objects. In your example you create a 2 host object objects, 3 service objects and 3 PATs. I guess I'm glad I do it the way I do.

@cciedreamer, if you're forwarding lots of services and/or port ranges I suggest you use my example with the object-group(s).

MO
Michael Ortega

@Arne

In response to your response regarding my response (LOL),

"I would strongly disagree" about my statement regarding "you can only assign one PAT to each object."

You strongly disagreed, but in your example it's exactly what you did. LOL.

Create services

object service tcp-src-3840
 service tcp source eq 3840
object service tcp-src-4444
 service tcp source eq 4444
object service tcp-src-18080
 service tcp source eq 18080

Use the network objects and service objects in PAT statements

nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880


You created 3 service objects and 3 PATs, one for each object.

MO
Techrunner

ASKER
Hi
What about the ACLs
Because I dont want to creat acl for each service that is why i was asking service object groups
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Michael Ortega

@cciedreamer,

Please see my comment about service groups above. I gave you the configuration you need to make this work with the least amount of configuration.

MO
Michael Ortega

From my comment on 2016-08-15 at 16:34:07:

If you want both TCP and UDP, see below. I recommend when you have large port ranges like this that you have a 1:1 NAT for that host on a dedicated public IP from your block of available usables. For example, if you have 1.1.1.1 as your primary assigned Outside interface, but you have 1.1.1.2 - 1.1.1.5 also available, I would do the following:

object network OBJ-10.1.1.1
 host 10.1.1.1
 nat (INT_IWX_DATA,outside) static 1.1.1.2
!
object-group service OBJ-10.1.1.1_SERVICES tcp-udp
 port-object range 9991 9993
 port-object eq 443
 port-object eq 8000
 port-object range 4000 5000
!
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
!
access-list outside_access_in extended permit object-group TCPUDP any object OBJ-10.1.1.1 object-group OBJ-10.1.1.1_SERVICES


MO
Techrunner

ASKER
Thanks Michael that makes sense.

I have another example where I have internal host and I want to allow this host to access external servers on different ports for example

10.1.1.1 ( Host1) -- 3.3.3.3 ( Exhost) - TCP 19018,19019
10.1.1.1 ( Host1) -- 4.4.4.4 ( Exhost) - TCP 4900,4600,5040 UDP 9400

Can you please advise how configure the rules in more efficient way.

Thanks
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
Michael Ortega

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Michael Ortega

@ArneLovius,

I'm still very anxious to see how you're able to apply multiple PAT statements to a single object. Please share when you get a chance. Your last example showed that you were applying a single PAT to a single service object, but I'm interested in how you stack multiple PATs on a single object. That would save me tons of time.

MO
Techrunner

ASKER
Hi Michael
I know this question will out of this topic but just need some quick suggestions


We have some 3rd party support companies that need access into the network to a specific server and I would like to lock down the user to specific IPs/ports.

For example, three employees from company need access to different servers.

User1 needs to reach Server 1,2 and 3
User 2 needs needs to reach Server 4,5
User 1 should not reach Server 4,5

Appreciating your help
ArneLovius

@MichaelOrtega, which object are you referring to, the network object, or the service object,  or do you mean a configuration line, which is not an "object" ?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Techrunner

ASKER
Michael Ortega

@cciedreamer,

I recommend you start a new question for that.

@ArneLovius,

We can probably drop the "one on one" on objects and PAT now. We can agree that there is more than one way to get it done. Fair? cciedreamer has the information he needs relative to this question.

MO
Techrunner

ASKER
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Techrunner

ASKER
Another points which came to my mind

I have internal host with following configuration

object network OBJ_10.10.20.7
host 10.10.20.7
des MAIL SERVER
nat (inside,outside) dymamic interface

object network OBJ_10.10.20.7_TCP443
host 10.10.20.7
des MAIL SERVER PAT /TCP 443
nat (inside,outside) static 1.1.1.1 service tcp 443 443

Will these configuration makes difference when accessing mail server from outside.
Michael Ortega

@cciedreamer,

No need to have the dynamic NAT nested in your mail server object. Presumably, it's using the dynamic NAT that's already in place for the entire subnet.

The static PAT you have just means that your users will connect to 1.1.1.1 from the outside to access services on 443 (e.g. OWA, ECP, etc.)

MO
Techrunner

ASKER
Thanks actually I haven't configured Dynamic NAT on Subnet. I prefer to for individual network objects.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Michael Ortega

Without dynamic NAT in place how are all your devices behind the same network communicating with the outside world/Internet?

MO
Techrunner

ASKER
Any device requires going to internet I do the dynamic object NAT for each device

Thanks
Michael Ortega

I see. Makes sense, although you could do that with ACLs instead. Might be cleaner? You could create an object-group of all the devices that aren't permitted and then write one ACLs to deny. That way you could have one ACL only to define the deny and one NAT statement only in place. The only thing you would have to update on the firewall going forward is what new IP or object you want to deny and just add them to the object-group you created.

MO
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Michael Ortega

Of course, you could employ web security tools to do this for you instead.

MO
Techrunner

ASKER
Yes that is great advice as well.
Techrunner

ASKER
Hi
I just receive a new request

Allow 10.1.100.100 ( inside) to access 172.16.1.100 (dmz)  on ports 7000,7005,7008
Allow 10.1.100.101 (inside) to access 172.16.1.100 (dmz) on ports 7000,7005,7008

So what is your advice for service and network objects and the communication should be bi-directional
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ArneLovius

Unless the inside is at a lower security level then the DMZ, or you have a blanket deny from inside to DMZ, there is no requirement for ACL to allow traffic from inside to DMZ.

I think the original question has been comprehensively answered...
Techrunner

ASKER
Inside has a 100 and DMZ has 50 security level
I have default deny rule on inside and dmz

Yes it is answered but I will appreciate if you guys can suggest on my last comment
Michael Ortega

@cciedreamer,

It's important that you stick to the original scope of your question, allow the experts to help and answer and then close the question out. If you have additional questions, e.g. additional scope items, you should start a new question.

MO
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Techrunner

ASKER
Hi Sure
Very last question on in this threa which is I guess related to the original question

Please can you suggest something on this comment

https://www.experts-exchange.com/questions/28963313/ASA-Objects-for-Non-Standard-Ports.html?anchorAnswerId=41762898#a41762898
Michael Ortega

@cciedreamer,

This is a separate question and should be opened up as a new one.

MO