Link to home
Start Free TrialLog in
Avatar of Techrunner
Techrunner

asked on

ASA Objects for Non Standard Ports

Hello

Please need your suggestions for creating the service object or object- groups for non standard tcp/udp port on Cisco ASA Firewall

What is the best standard/ naming convention to use for creating such objects

Many Thanks in Advance
Avatar of Michael Ortega
Michael Ortega
Flag of United States of America image

You can create objects for each individual object and then put them into an object-group or you can just create an object-group and define the ports there. Can you give us specific example of ports you need created? Would they all forward to the same internal host?

MO
Please also specify if they are TCP, UDP or both.

MO
Avatar of Techrunner
Techrunner

ASKER

Thanks Michael

For example TCP ports like 9001,9282,9277 etc

Some it is required for same internal hosts and sometime not

What will be the best standard method and naming convention ?
I always prefix all object groups with OBJ- and I always suffix TCP/UDP port groups with -UDP and -TCP, I always use UPPERCASE for user defined things (class-maps, ACL's, Policies, and Object Groups) because it makes them easy to locate in a config when you are trying to troubleshoot.  Other than that its pretty much personal preference.

I've spent many hours making firewall configs immaculate, then a client with 10 minutes in the ASDM makes it look like a bag of spanners!!!

Pete
SOLUTION
Avatar of Michael Ortega
Michael Ortega
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Michael and Pete

How about this

object network OBJ-10.1.1.1
host 10.1.1.1
description Server1

object network OBJ-10.1.1.1-TCP9090
host 10.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 9090 9090

object network OBJ-10.1.2.1
host 10.1.2.1
description Server2

object network OBJ-10.1.2.1-TCP9277
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9277 9277

object network OBJ-10.1.2.1- TCP9299
host 10.1.2.1
nat (inside,outside) static 2.2.2.2 service tcp 9299 9299


Here I have created network objects
Now what is the best way to create service object foe both servers so I can put them in ACL for inbound connection

Please advise
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
For example lets assume if I have a server that should be accessible from Internet and this server has multiple ports mapped to a single public IP. These ports 9991,9992,9993,443,8000,4000-5000.
What should be the syntax in such case.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@Michael Ortega

"The reason we create separate objects (even though the host IPs are the same) is that you can only assign one NAT to each object."

You can only assign one NAT to each object, but you can have multiple PAT, and as adding more than one NAT for an IP address would make no sense, there is no requirement to have the port in the network object name, just use the port in the service name
ArneLovius,

I'm not sure anyone mentioned anything about naming requirements for objects. It was asked what the recommendations were for creating objects. The naming convention I use when I have multiple services (multiple, but a few) I enter the port number in the object name. It's just a reference. I can call it whatever I want, of course.

What we're talking about is PAT. You can only assign on PAT to an each object, but if you believe this is untrue please advise us all on how you do it. Creating multiple PAT statements within an object simply overwrites the previous one. That's why I create an object for each service and then nest the PAT statement relative to that particular service in each appropriate object.

Please provide a working sample of what you're referring to. I've never seen it done that way.

Here's a reference for you Arne. This is how I've always done it since 8.3: https://supportforums.cisco.com/discussion/10962221/asa-83-single-host-multiple-pat

MO
Arne,

Perhaps you were just correcting my use of the acronym NAT, when I really meant PAT. If that's the case, thanks for correcting me.

Either way, you can only assign one PAT to each object, which is what I meant to say originally.

MO
Hi arne lovious

Can you please give your examples

Thanks
@Michael Ortega, I was quoting your words, and with your last post "you can only assign one PAT to each object" I would strongly disagree.

Multiple PAT statements per network object as below

Create the network objects

object network host.domain.com
 host 1.2.3.4
object network host.local
 host 192.168.1.1

Create services

object service tcp-src-3840
 service tcp source eq 3840
object service tcp-src-4444
 service tcp source eq 4444
object service tcp-src-18080
 service tcp source eq 18080

Use the network objects and service objects in PAT statements

nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880
Thanks Arne
Good Suggestion as well

How about the creating service objects for multiple ports?
Wow. I guess I knew you could do it that way as well, but why the heck would you want to? It's more work. So in my example using network/host objects you create 3 objects and 3 PATs nested in the respective objects. In your example you create a 2 host object objects, 3 service objects and 3 PATs. I guess I'm glad I do it the way I do.

@cciedreamer, if you're forwarding lots of services and/or port ranges I suggest you use my example with the object-group(s).

MO
@Arne

In response to your response regarding my response (LOL),

"I would strongly disagree" about my statement regarding "you can only assign one PAT to each object."

You strongly disagreed, but in your example it's exactly what you did. LOL.

Create services

object service tcp-src-3840
 service tcp source eq 3840
object service tcp-src-4444
 service tcp source eq 4444
object service tcp-src-18080
 service tcp source eq 18080

Use the network objects and service objects in PAT statements

nat (inside,ISP) source static host.local host.domain.com service tcp-src-3840 tcp-src-3840
nat (inside,ISP) source static host.local host.domain.com service tcp-src-4444 tcp-src-4444
nat (inside,ISP) source static host.local host.domain.com service tcp-src-1880 tcp-src-1880


You created 3 service objects and 3 PATs, one for each object.

MO
Hi
What about the ACLs
Because I dont want to creat acl for each service that is why i was asking service object groups
@cciedreamer,

Please see my comment about service groups above. I gave you the configuration you need to make this work with the least amount of configuration.

MO
From my comment on 2016-08-15 at 16:34:07:

If you want both TCP and UDP, see below. I recommend when you have large port ranges like this that you have a 1:1 NAT for that host on a dedicated public IP from your block of available usables. For example, if you have 1.1.1.1 as your primary assigned Outside interface, but you have 1.1.1.2 - 1.1.1.5 also available, I would do the following:

object network OBJ-10.1.1.1
 host 10.1.1.1
 nat (INT_IWX_DATA,outside) static 1.1.1.2
!
object-group service OBJ-10.1.1.1_SERVICES tcp-udp
 port-object range 9991 9993
 port-object eq 443
 port-object eq 8000
 port-object range 4000 5000
!
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
!
access-list outside_access_in extended permit object-group TCPUDP any object OBJ-10.1.1.1 object-group OBJ-10.1.1.1_SERVICES


MO
Thanks Michael that makes sense.

I have another example where I have internal host and I want to allow this host to access external servers on different ports for example

10.1.1.1 ( Host1) -- 3.3.3.3 ( Exhost) - TCP 19018,19019
10.1.1.1 ( Host1) -- 4.4.4.4 ( Exhost) - TCP 4900,4600,5040 UDP 9400

Can you please advise how configure the rules in more efficient way.

Thanks
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@ArneLovius,

I'm still very anxious to see how you're able to apply multiple PAT statements to a single object. Please share when you get a chance. Your last example showed that you were applying a single PAT to a single service object, but I'm interested in how you stack multiple PATs on a single object. That would save me tons of time.

MO
Hi Michael
I know this question will out of this topic but just need some quick suggestions


We have some 3rd party support companies that need access into the network to a specific server and I would like to lock down the user to specific IPs/ports.

For example, three employees from company need access to different servers.

User1 needs to reach Server 1,2 and 3
User 2 needs needs to reach Server 4,5
User 1 should not reach Server 4,5

Appreciating your help
@MichaelOrtega, which object are you referring to, the network object, or the service object,  or do you mean a configuration line, which is not an "object" ?
@cciedreamer,

I recommend you start a new question for that.

@ArneLovius,

We can probably drop the "one on one" on objects and PAT now. We can agree that there is more than one way to get it done. Fair? cciedreamer has the information he needs relative to this question.

MO
Another points which came to my mind

I have internal host with following configuration

object network OBJ_10.10.20.7
host 10.10.20.7
des MAIL SERVER
nat (inside,outside) dymamic interface

object network OBJ_10.10.20.7_TCP443
host 10.10.20.7
des MAIL SERVER PAT /TCP 443
nat (inside,outside) static 1.1.1.1 service tcp 443 443

Will these configuration makes difference when accessing mail server from outside.
@cciedreamer,

No need to have the dynamic NAT nested in your mail server object. Presumably, it's using the dynamic NAT that's already in place for the entire subnet.

The static PAT you have just means that your users will connect to 1.1.1.1 from the outside to access services on 443 (e.g. OWA, ECP, etc.)

MO
Thanks actually I haven't configured Dynamic NAT on Subnet. I prefer to for individual network objects.
Without dynamic NAT in place how are all your devices behind the same network communicating with the outside world/Internet?

MO
Any device requires going to internet I do the dynamic object NAT for each device

Thanks
I see. Makes sense, although you could do that with ACLs instead. Might be cleaner? You could create an object-group of all the devices that aren't permitted and then write one ACLs to deny. That way you could have one ACL only to define the deny and one NAT statement only in place. The only thing you would have to update on the firewall going forward is what new IP or object you want to deny and just add them to the object-group you created.

MO
Of course, you could employ web security tools to do this for you instead.

MO
Yes that is great advice as well.
Hi
I just receive a new request

Allow 10.1.100.100 ( inside) to access 172.16.1.100 (dmz)  on ports 7000,7005,7008
Allow 10.1.100.101 (inside) to access 172.16.1.100 (dmz) on ports 7000,7005,7008

So what is your advice for service and network objects and the communication should be bi-directional
Unless the inside is at a lower security level then the DMZ, or you have a blanket deny from inside to DMZ, there is no requirement for ACL to allow traffic from inside to DMZ.

I think the original question has been comprehensively answered...
Inside has a 100 and DMZ has 50 security level
I have default deny rule on inside and dmz

Yes it is answered but I will appreciate if you guys can suggest on my last comment
@cciedreamer,

It's important that you stick to the original scope of your question, allow the experts to help and answer and then close the question out. If you have additional questions, e.g. additional scope items, you should start a new question.

MO
Hi Sure
Very last question on in this threa which is I guess related to the original question

Please can you suggest something on this comment

https://www.experts-exchange.com/questions/28963313/ASA-Objects-for-Non-Standard-Ports.html?anchorAnswerId=41762898#a41762898
@cciedreamer,

This is a separate question and should be opened up as a new one.

MO