Techrunner
asked on
ASA Objects for Non Standard Ports
Hello
Please need your suggestions for creating the service object or object- groups for non standard tcp/udp port on Cisco ASA Firewall
What is the best standard/ naming convention to use for creating such objects
Many Thanks in Advance
Please need your suggestions for creating the service object or object- groups for non standard tcp/udp port on Cisco ASA Firewall
What is the best standard/ naming convention to use for creating such objects
Many Thanks in Advance
Please also specify if they are TCP, UDP or both.
MO
MO
ASKER
Thanks Michael
For example TCP ports like 9001,9282,9277 etc
Some it is required for same internal hosts and sometime not
What will be the best standard method and naming convention ?
For example TCP ports like 9001,9282,9277 etc
Some it is required for same internal hosts and sometime not
What will be the best standard method and naming convention ?
I always prefix all object groups with OBJ- and I always suffix TCP/UDP port groups with -UDP and -TCP, I always use UPPERCASE for user defined things (class-maps, ACL's, Policies, and Object Groups) because it makes them easy to locate in a config when you are trying to troubleshoot. Other than that its pretty much personal preference.
I've spent many hours making firewall configs immaculate, then a client with 10 minutes in the ASDM makes it look like a bag of spanners!!!
Pete
I've spent many hours making firewall configs immaculate, then a client with 10 minutes in the ASDM makes it look like a bag of spanners!!!
Pete
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Michael and Pete
How about this
object network OBJ-10.1.1.1
host 10.1.1.1
description Server1
object network OBJ-10.1.1.1-TCP9090
host 10.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 9090 9090
object network OBJ-10.1.2.1
host 10.1.2.1
description Server2
object network OBJ-10.1.2.1-TCP9277
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9277 9277
object network OBJ-10.1.2.1- TCP9299
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9299 9299
Here I have created network objects
Now what is the best way to create service object foe both servers so I can put them in ACL for inbound connection
Please advise
How about this
object network OBJ-10.1.1.1
host 10.1.1.1
description Server1
object network OBJ-10.1.1.1-TCP9090
host 10.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 9090 9090
object network OBJ-10.1.2.1
host 10.1.2.1
description Server2
object network OBJ-10.1.2.1-TCP9277
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9277 9277
object network OBJ-10.1.2.1- TCP9299
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9299 9299
Here I have created network objects
Now what is the best way to create service object foe both servers so I can put them in ACL for inbound connection
Please advise
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For example lets assume if I have a server that should be accessible from Internet and this server has multiple ports mapped to a single public IP. These ports 9991,9992,9993,443,8000,40 00-5000.
What should be the syntax in such case.
What should be the syntax in such case.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Michael Ortega
"The reason we create separate objects (even though the host IPs are the same) is that you can only assign one NAT to each object."
You can only assign one NAT to each object, but you can have multiple PAT, and as adding more than one NAT for an IP address would make no sense, there is no requirement to have the port in the network object name, just use the port in the service name
"The reason we create separate objects (even though the host IPs are the same) is that you can only assign one NAT to each object."
You can only assign one NAT to each object, but you can have multiple PAT, and as adding more than one NAT for an IP address would make no sense, there is no requirement to have the port in the network object name, just use the port in the service name
ArneLovius,
I'm not sure anyone mentioned anything about naming requirements for objects. It was asked what the recommendations were for creating objects. The naming convention I use when I have multiple services (multiple, but a few) I enter the port number in the object name. It's just a reference. I can call it whatever I want, of course.
What we're talking about is PAT. You can only assign on PAT to an each object, but if you believe this is untrue please advise us all on how you do it. Creating multiple PAT statements within an object simply overwrites the previous one. That's why I create an object for each service and then nest the PAT statement relative to that particular service in each appropriate object.
Please provide a working sample of what you're referring to. I've never seen it done that way.
Here's a reference for you Arne. This is how I've always done it since 8.3: https://supportforums.cisco.com/discussion/10962221/asa-83-single-host-multiple-pat
MO
I'm not sure anyone mentioned anything about naming requirements for objects. It was asked what the recommendations were for creating objects. The naming convention I use when I have multiple services (multiple, but a few) I enter the port number in the object name. It's just a reference. I can call it whatever I want, of course.
What we're talking about is PAT. You can only assign on PAT to an each object, but if you believe this is untrue please advise us all on how you do it. Creating multiple PAT statements within an object simply overwrites the previous one. That's why I create an object for each service and then nest the PAT statement relative to that particular service in each appropriate object.
Please provide a working sample of what you're referring to. I've never seen it done that way.
Here's a reference for you Arne. This is how I've always done it since 8.3: https://supportforums.cisco.com/discussion/10962221/asa-83-single-host-multiple-pat
MO
Arne,
Perhaps you were just correcting my use of the acronym NAT, when I really meant PAT. If that's the case, thanks for correcting me.
Either way, you can only assign one PAT to each object, which is what I meant to say originally.
MO
Perhaps you were just correcting my use of the acronym NAT, when I really meant PAT. If that's the case, thanks for correcting me.
Either way, you can only assign one PAT to each object, which is what I meant to say originally.
MO
ASKER
Hi arne lovious
Can you please give your examples
Thanks
Can you please give your examples
Thanks
@Michael Ortega, I was quoting your words, and with your last post "you can only assign one PAT to each object" I would strongly disagree.
Multiple PAT statements per network object as below
Create the network objects
object network host.domain.com
host 1.2.3.4
object network host.local
host 192.168.1.1
Create services
object service tcp-src-3840
service tcp source eq 3840
object service tcp-src-4444
service tcp source eq 4444
object service tcp-src-18080
service tcp source eq 18080
Use the network objects and service objects in PAT statements
nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880
Multiple PAT statements per network object as below
Create the network objects
object network host.domain.com
host 1.2.3.4
object network host.local
host 192.168.1.1
Create services
object service tcp-src-3840
service tcp source eq 3840
object service tcp-src-4444
service tcp source eq 4444
object service tcp-src-18080
service tcp source eq 18080
Use the network objects and service objects in PAT statements
nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880
ASKER
Thanks Arne
Good Suggestion as well
How about the creating service objects for multiple ports?
Good Suggestion as well
How about the creating service objects for multiple ports?
Wow. I guess I knew you could do it that way as well, but why the heck would you want to? It's more work. So in my example using network/host objects you create 3 objects and 3 PATs nested in the respective objects. In your example you create a 2 host object objects, 3 service objects and 3 PATs. I guess I'm glad I do it the way I do.
@cciedreamer, if you're forwarding lots of services and/or port ranges I suggest you use my example with the object-group(s).
MO
@cciedreamer, if you're forwarding lots of services and/or port ranges I suggest you use my example with the object-group(s).
MO
@Arne
In response to your response regarding my response (LOL),
"I would strongly disagree" about my statement regarding "you can only assign one PAT to each object."
You strongly disagreed, but in your example it's exactly what you did. LOL.
Create services
object service tcp-src-3840
service tcp source eq 3840
object service tcp-src-4444
service tcp source eq 4444
object service tcp-src-18080
service tcp source eq 18080
Use the network objects and service objects in PAT statements
nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880
You created 3 service objects and 3 PATs, one for each object.
MO
In response to your response regarding my response (LOL),
"I would strongly disagree" about my statement regarding "you can only assign one PAT to each object."
You strongly disagreed, but in your example it's exactly what you did. LOL.
Create services
object service tcp-src-3840
service tcp source eq 3840
object service tcp-src-4444
service tcp source eq 4444
object service tcp-src-18080
service tcp source eq 18080
Use the network objects and service objects in PAT statements
nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880
You created 3 service objects and 3 PATs, one for each object.
MO
ASKER
Hi
What about the ACLs
Because I dont want to creat acl for each service that is why i was asking service object groups
What about the ACLs
Because I dont want to creat acl for each service that is why i was asking service object groups
@cciedreamer,
Please see my comment about service groups above. I gave you the configuration you need to make this work with the least amount of configuration.
MO
Please see my comment about service groups above. I gave you the configuration you need to make this work with the least amount of configuration.
MO
From my comment on 2016-08-15 at 16:34:07:
If you want both TCP and UDP, see below. I recommend when you have large port ranges like this that you have a 1:1 NAT for that host on a dedicated public IP from your block of available usables. For example, if you have 1.1.1.1 as your primary assigned Outside interface, but you have 1.1.1.2 - 1.1.1.5 also available, I would do the following:
object network OBJ-10.1.1.1
host 10.1.1.1
nat (INT_IWX_DATA,outside) static 1.1.1.2
!
object-group service OBJ-10.1.1.1_SERVICES tcp-udp
port-object range 9991 9993
port-object eq 443
port-object eq 8000
port-object range 4000 5000
!
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
!
access-list outside_access_in extended permit object-group TCPUDP any object OBJ-10.1.1.1 object-group OBJ-10.1.1.1_SERVICES
MO
If you want both TCP and UDP, see below. I recommend when you have large port ranges like this that you have a 1:1 NAT for that host on a dedicated public IP from your block of available usables. For example, if you have 1.1.1.1 as your primary assigned Outside interface, but you have 1.1.1.2 - 1.1.1.5 also available, I would do the following:
object network OBJ-10.1.1.1
host 10.1.1.1
nat (INT_IWX_DATA,outside) static 1.1.1.2
!
object-group service OBJ-10.1.1.1_SERVICES tcp-udp
port-object range 9991 9993
port-object eq 443
port-object eq 8000
port-object range 4000 5000
!
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
!
access-list outside_access_in extended permit object-group TCPUDP any object OBJ-10.1.1.1 object-group OBJ-10.1.1.1_SERVICES
MO
ASKER
Thanks Michael that makes sense.
I have another example where I have internal host and I want to allow this host to access external servers on different ports for example
10.1.1.1 ( Host1) -- 3.3.3.3 ( Exhost) - TCP 19018,19019
10.1.1.1 ( Host1) -- 4.4.4.4 ( Exhost) - TCP 4900,4600,5040 UDP 9400
Can you please advise how configure the rules in more efficient way.
Thanks
I have another example where I have internal host and I want to allow this host to access external servers on different ports for example
10.1.1.1 ( Host1) -- 3.3.3.3 ( Exhost) - TCP 19018,19019
10.1.1.1 ( Host1) -- 4.4.4.4 ( Exhost) - TCP 4900,4600,5040 UDP 9400
Can you please advise how configure the rules in more efficient way.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@ArneLovius,
I'm still very anxious to see how you're able to apply multiple PAT statements to a single object. Please share when you get a chance. Your last example showed that you were applying a single PAT to a single service object, but I'm interested in how you stack multiple PATs on a single object. That would save me tons of time.
MO
I'm still very anxious to see how you're able to apply multiple PAT statements to a single object. Please share when you get a chance. Your last example showed that you were applying a single PAT to a single service object, but I'm interested in how you stack multiple PATs on a single object. That would save me tons of time.
MO
ASKER
Hi Michael
I know this question will out of this topic but just need some quick suggestions
We have some 3rd party support companies that need access into the network to a specific server and I would like to lock down the user to specific IPs/ports.
For example, three employees from company need access to different servers.
User1 needs to reach Server 1,2 and 3
User 2 needs needs to reach Server 4,5
User 1 should not reach Server 4,5
Appreciating your help
I know this question will out of this topic but just need some quick suggestions
We have some 3rd party support companies that need access into the network to a specific server and I would like to lock down the user to specific IPs/ports.
For example, three employees from company need access to different servers.
User1 needs to reach Server 1,2 and 3
User 2 needs needs to reach Server 4,5
User 1 should not reach Server 4,5
Appreciating your help
@MichaelOrtega, which object are you referring to, the network object, or the service object, or do you mean a configuration line, which is not an "object" ?
ASKER
Experts
I will appreciate your suggestions on this comment
https://www.experts-exchange.com/questions/28963313/ASA-Objects-for-Non-Standard-Ports.html?anchorAnswerId=41760615#a41760615
I will appreciate your suggestions on this comment
https://www.experts-exchange.com/questions/28963313/ASA-Objects-for-Non-Standard-Ports.html?anchorAnswerId=41760615#a41760615
@cciedreamer,
I recommend you start a new question for that.
@ArneLovius,
We can probably drop the "one on one" on objects and PAT now. We can agree that there is more than one way to get it done. Fair? cciedreamer has the information he needs relative to this question.
MO
I recommend you start a new question for that.
@ArneLovius,
We can probably drop the "one on one" on objects and PAT now. We can agree that there is more than one way to get it done. Fair? cciedreamer has the information he needs relative to this question.
MO
ASKER
Done Michael
Here you go:
https://www.experts-exchange.com/questions/28964384/ACLs-per-VPN-User.html
Here you go:
https://www.experts-exchange.com/questions/28964384/ACLs-per-VPN-User.html
ASKER
Another points which came to my mind
I have internal host with following configuration
object network OBJ_10.10.20.7
host 10.10.20.7
des MAIL SERVER
nat (inside,outside) dymamic interface
object network OBJ_10.10.20.7_TCP443
host 10.10.20.7
des MAIL SERVER PAT /TCP 443
nat (inside,outside) static 1.1.1.1 service tcp 443 443
Will these configuration makes difference when accessing mail server from outside.
I have internal host with following configuration
object network OBJ_10.10.20.7
host 10.10.20.7
des MAIL SERVER
nat (inside,outside) dymamic interface
object network OBJ_10.10.20.7_TCP443
host 10.10.20.7
des MAIL SERVER PAT /TCP 443
nat (inside,outside) static 1.1.1.1 service tcp 443 443
Will these configuration makes difference when accessing mail server from outside.
@cciedreamer,
No need to have the dynamic NAT nested in your mail server object. Presumably, it's using the dynamic NAT that's already in place for the entire subnet.
The static PAT you have just means that your users will connect to 1.1.1.1 from the outside to access services on 443 (e.g. OWA, ECP, etc.)
MO
No need to have the dynamic NAT nested in your mail server object. Presumably, it's using the dynamic NAT that's already in place for the entire subnet.
The static PAT you have just means that your users will connect to 1.1.1.1 from the outside to access services on 443 (e.g. OWA, ECP, etc.)
MO
ASKER
Thanks actually I haven't configured Dynamic NAT on Subnet. I prefer to for individual network objects.
Without dynamic NAT in place how are all your devices behind the same network communicating with the outside world/Internet?
MO
MO
ASKER
Any device requires going to internet I do the dynamic object NAT for each device
Thanks
Thanks
I see. Makes sense, although you could do that with ACLs instead. Might be cleaner? You could create an object-group of all the devices that aren't permitted and then write one ACLs to deny. That way you could have one ACL only to define the deny and one NAT statement only in place. The only thing you would have to update on the firewall going forward is what new IP or object you want to deny and just add them to the object-group you created.
MO
MO
Of course, you could employ web security tools to do this for you instead.
MO
MO
ASKER
Yes that is great advice as well.
ASKER
Hi
I just receive a new request
Allow 10.1.100.100 ( inside) to access 172.16.1.100 (dmz) on ports 7000,7005,7008
Allow 10.1.100.101 (inside) to access 172.16.1.100 (dmz) on ports 7000,7005,7008
So what is your advice for service and network objects and the communication should be bi-directional
I just receive a new request
Allow 10.1.100.100 ( inside) to access 172.16.1.100 (dmz) on ports 7000,7005,7008
Allow 10.1.100.101 (inside) to access 172.16.1.100 (dmz) on ports 7000,7005,7008
So what is your advice for service and network objects and the communication should be bi-directional
Unless the inside is at a lower security level then the DMZ, or you have a blanket deny from inside to DMZ, there is no requirement for ACL to allow traffic from inside to DMZ.
I think the original question has been comprehensively answered...
I think the original question has been comprehensively answered...
ASKER
Inside has a 100 and DMZ has 50 security level
I have default deny rule on inside and dmz
Yes it is answered but I will appreciate if you guys can suggest on my last comment
I have default deny rule on inside and dmz
Yes it is answered but I will appreciate if you guys can suggest on my last comment
@cciedreamer,
It's important that you stick to the original scope of your question, allow the experts to help and answer and then close the question out. If you have additional questions, e.g. additional scope items, you should start a new question.
MO
It's important that you stick to the original scope of your question, allow the experts to help and answer and then close the question out. If you have additional questions, e.g. additional scope items, you should start a new question.
MO
ASKER
Hi Sure
Very last question on in this threa which is I guess related to the original question
Please can you suggest something on this comment
https://www.experts-exchange.com/questions/28963313/ASA-Objects-for-Non-Standard-Ports.html?anchorAnswerId=41762898#a41762898
Very last question on in this threa which is I guess related to the original question
Please can you suggest something on this comment
https://www.experts-exchange.com/questions/28963313/ASA-Objects-for-Non-Standard-Ports.html?anchorAnswerId=41762898#a41762898
@cciedreamer,
This is a separate question and should be opened up as a new one.
MO
This is a separate question and should be opened up as a new one.
MO
MO