Pix and port range/Object-Group configuration...

Answered Question
Jan 4th, 2010
User Badges:
I have setup several PIX firewalls in the past but never had the need to use the new Object-Group configurations. I have a setup that requires me send traffic to multiple internal servers when listening on one of the external IP addresses and using port ranges.


This is what I need:


Example:Outside IP of xxx.xxx.xxx.219 to the following internal IP's:


Ports 5080-5081 to 192.168.100.150
Ports 10020-10051 to 192.168.100.152
Ports 10052-10083 to 192.168.100.153
I am running version 6.3 so it does have Object-Group capability. I am a bit lost trying to configure Object-Groups to do the trick, any help would be greatly appreciated.Thanks in advance!
Correct Answer by Jon Marshall about 7 years 4 months ago

ronwoods wrote:


I assume if there may alsoi be UDP ports in use it would look something like this:


object-group service PORTS_150 tcp-udp
port-object range 5080 5081
object-group service PORTS_152 tcp-udp
port-object range 10020 10051
object-group service PORTS_153 tcp-udp
port-object range 10052 10083
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153


Do I need anything else to allow the new access-list "outside_in" inside other than these settings above?


Thanks again for your help!


Ron


Ron


Yes it would look like that.


You would need to apply the access-list to the outside interface ie.


access-group outside_in in interface outside


but be aware that you can only have one acl applied inbound on an interface so if you already have an acl applied then just add to that one rather than creating a new one.


Edit - also be aware that there is an implict "deny ip any any" at the end of any acl.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 01/04/2010 - 13:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ronwoods wrote:


I have setup several PIX firewalls in the past but never had the need to use the new Object-Group configurations. I have a setup that requires me send traffic to multiple internal servers when listening on one of the external IP addresses and using port ranges.


This is what I need:


Example:Outside IP of xxx.xxx.xxx.219 to the following internal IP's:


Ports 5080-5081 to 192.168.100.150
Ports 10020-10051 to 192.168.100.152
Ports 10052-10083 to 192.168.100.153
I am running version 6.3 so it does have Object-Group capability. I am a bit lost trying to configure Object-Groups to do the trick, any help would be greatly appreciated.Thanks in advance

Ron


Assuming the ports are TCP -


object-group service PORTS_150 tcp

port-object range 5080 5081


object-group service PORTS_152 tcp

port-object range 10020 10051


object-group service PORTS_153 tcp

port-object range 10052 10083


access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153


Jon

ronwoods Mon, 01/04/2010 - 14:31
User Badges:

I have this set now in the PIX and will test in a bit.... THANK YOU! I will let you know if this worked! So simple, no

wonder I was confused

ronwoods Tue, 01/05/2010 - 07:59
User Badges:

I assume if there may alsoi be UDP ports in use it would look something like this:


object-group service PORTS_150 tcp-udp
port-object range 5080 5081
object-group service PORTS_152 tcp-udp
port-object range 10020 10051
object-group service PORTS_153 tcp-udp
port-object range 10052 10083
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153


Do I need anything else to allow the new access-list "outside_in" inside other than these settings above?


Thanks again for your help!


Ron

Correct Answer
Jon Marshall Tue, 01/05/2010 - 08:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ronwoods wrote:


I assume if there may alsoi be UDP ports in use it would look something like this:


object-group service PORTS_150 tcp-udp
port-object range 5080 5081
object-group service PORTS_152 tcp-udp
port-object range 10020 10051
object-group service PORTS_153 tcp-udp
port-object range 10052 10083
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153


Do I need anything else to allow the new access-list "outside_in" inside other than these settings above?


Thanks again for your help!


Ron


Ron


Yes it would look like that.


You would need to apply the access-list to the outside interface ie.


access-group outside_in in interface outside


but be aware that you can only have one acl applied inbound on an interface so if you already have an acl applied then just add to that one rather than creating a new one.


Edit - also be aware that there is an implict "deny ip any any" at the end of any acl.


Jon

ronwoods Tue, 01/05/2010 - 08:15
User Badges:

I do already have this:



access-group inbound in interface outside

However, the IP xxx.xxx.xxx.219 is an additional outside IP and not one that is directly assigned to the outside interface. How would I do this using a secondary IP?


Here is my complete configuration:


: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password  encrypted
passwd n9.B5r1NNJcj9JlZ encrypted
hostname pixfirewall
domain-name pix
fixup protocol dns maximum-length 2048
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service PORTS_150 tcp-udp
  port-object range 5080 5081
object-group service PORTS_152 tcp-udp
  port-object range 10020 10051
object-group service PORTS_153 tcp-udp
  port-object range 10052 10083
access-list inbound permit udp any host xxx.xxx.xxx.210 eq 1604
access-list inbound permit tcp any host xxx.xxx.xxx.210 eq citrix-ica
access-list inbound permit tcp any host xxx.xxx.xxx.210 eq 5993
access-list inbound permit tcp any host xxx.xxx.xxx.210 eq https
access-list inbound permit tcp any host xxx.xxx.xxx.210 eq smtp
access-list inbound permit tcp any host xxx.xxx.xxx.210 eq pop3
access-list inbound permit icmp any any
access-list inbound permit tcp any host xxx.xxx.xxx.212 eq www
access-list inbound permit tcp any host xxx.xxx.xxx.212 eq https
access-list inbound permit tcp any host xxx.xxx.xxx.212 eq ftp
access-list inbound permit tcp any host xxx.xxx.xxx.210 eq 3389
access-list inbound permit tcp any host xxx.xxx.xxx.211 eq https
access-list inbound permit tcp any host xxx.xxx.xxx.211 eq www
access-list inbound permit tcp any host xxx.xxx.xxx.213 eq https
access-list inbound permit ip any host xxx.xxx.xxx.219
access-list dmz_in permit icmp any any
access-list dmz_in permit ip any any
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152
access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153
access-list outside_in permit udp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153
access-list outside_in permit ip any host xxx.xxx.xxx.219
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.0.13
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.210 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp interface 1604 192.168.0.5 1604 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5993 192.168.0.2 5993 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface citrix-ica 192.168.0.5 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.9 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.0.9 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.0.6 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.9 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.0.120 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.211 www 192.168.0.7 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.211 https 192.168.0.9 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.213 https 192.168.0.12 https netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz,outside) xxx.xxx.xxx.212 192.168.5.3 netmask 255.255.255.255 0 0
static (dmz,outside) 209.150.203.252 192.168.5.2 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 192.168.0.4
no snmp-server location
no snmp-server contact
snmp-server community pix
snmp-server enable traps
floodguard enable
telnet 0.0.0.30 255.255.255.255 inside
telnet 192.168.0.0 255.255.255.255 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet 0.0.0.30 255.255.255.255 dmz
telnet 192.168.0.0 255.255.255.255 dmz
telnet timeout 60
ssh 171.68.225.212 255.255.255.255 outside
ssh timeout 60
console timeout 60
terminal width 80
Cryptochecksum:
: end


Your help is GREATLY appreciated..... Thank you!


Ron

ronwoods Mon, 01/18/2010 - 09:06
User Badges:

Jon, I am not sure if you missed this, but I am still looking for an answer and was strill hoping you might be able to solve my question. As you can see I posted the full config and maybe that will help with the solution.

Jon Marshall Mon, 01/18/2010 - 09:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ron


Apologies, i did miss that post.


Could you just summarise what you are having problems with. Is it the object-groups or something else ?


Jon

ronwoods Mon, 01/18/2010 - 10:16
User Badges:

Jon, I will try... as in the earlier post you gave me the following:


object-group service PORTS_150 tcp

port-object range 5080 5081


object-group service PORTS_152 tcp

port-object range 10020 10051


object-group service PORTS_153 tcp

port-object range 10052 10083


access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153



This would obviously work if the access-group tied to the outside interface was also the xxx.xxx.xxx.219 address but it isn't, the outside IP address is xxx.xxx.xxx.210


So now my problem is, how do we do this where we need to create the above config but using a secondary IP acddress. As you can see I posted the entire config, I have never gotten this deep into the PIX configs using object-groups and such.


The basic idea is we now have a VOIP system where internally the system utilizes three different IP's as noted in the above config and on the outside this is going to be setup on a secondary IP that is NOT the main IP address tied to the outside interface used in the access-group.


Does this help at all??


THANK YOU for getting back to me.

Jon Marshall Mon, 01/18/2010 - 10:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ronwoods wrote:


Jon, I will try... as in the earlier post you gave me the following:


object-group service PORTS_150 tcp

port-object range 5080 5081


object-group service PORTS_152 tcp

port-object range 10020 10051


object-group service PORTS_153 tcp

port-object range 10052 10083


access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153




This would obviously work if the access-group tied to the outside interface was also the xxx.xxx.xxx.219 address but it isn't, the outside IP address is xxx.xxx.xxx.210


So now my problem is, how do we do this where we need to create the above config but using a secondary IP acddress. As you can see I posted the entire config, I have never gotten this deep into the PIX configs using object-groups and such.


The basic idea is we now have a VOIP system where internally the system utilizes three different IP's as noted in the above config and on the outside this is going to be setup on a secondary IP that is NOT the main IP address tied to the outside interface used in the access-group.


Does this help at all??


THANK YOU for getting back to me.


Ron


So to clarify -


you have 3 internal servers - 192.168.100.150/152/153

you have an external IP address x.x.x.219


Now do you want to present the internal servers as this public IP address to the Internet ?


If so you can do this but there is a fair bit of extra config due to the fact that you one public IP going to 3 private IPs.

Also your acl would need changing.


Can you just confirm if this is what you are trying to do ?


Jon

ronwoods Mon, 01/18/2010 - 10:30
User Badges:

Yes, keeping the existing xxx.xxx.xxx.210 as the default external IP and now using the xxx.xxx.xxx.219 soley for these 3 internal IP's using the port ranges as we discussed in earlier posts...


object-group service PORTS_150 tcp

port-object range 5080 5081


object-group service PORTS_152 tcp

port-object range 10020 10051


object-group service PORTS_153 tcp

port-object range 10052 10083


access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153


This is what we are after.


Ron

Jon Marshall Mon, 01/18/2010 - 11:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ronwoods wrote:


Yes, keeping the existing xxx.xxx.xxx.210 as the default external IP and now using the xxx.xxx.xxx.219 soley for these 3 internal IP's using the port ranges as we discussed in earlier posts...


object-group service PORTS_150 tcp

port-object range 5080 5081


object-group service PORTS_152 tcp

port-object range 10020 10051


object-group service PORTS_153 tcp

port-object range 10052 10083


access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.150 object-group PORTS_150

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.152 object-group PORTS_152

access-list outside_in permit tcp host xxx.xxx.xxx.219 host 192.168.100.153 object-group PORTS_153


This is what we are after.


Ron


Ron


1) your acl is wrong. Assuming you want to allow hosts from the internet change to -


access-list outside_in permit tcp any host xxx.xxx.xxx.219 object-group PORTS_150

access-list outside_in permit tcp any host xxx.xxx.xxx.219 object-group PORTS_152

access-list outside_in permit tcp any host xxx.xxx.xxx.219 object-group PORTS_153


Note i have used "any" which means any IP address. If you want to restrict it to certain IPs from the internet then you can


2) You now need static NAT translations. Because you are using one public to 3 private you need to do port forwarding. Now you can use access-list that include the port range but there are problems with this working on some versions of ASA. So you will need to list them out ie.


static (inside,outside) tcp xxx.xxx.xxx.219 5080 192.168.100.150 5080

static (inside,outside) tcp xxx.xxx.xxx.219 5081 192.168.100.150 5081


static (inside,outside) tcp xxx.xxx.xxx.219 10020 192.168.100.152 10020

static (inside,outside) tcp xxx.xxx.xxx.219 10021 192.168.100.152 10021

etc.. for all the ports allowed to 192.168.100.152


static (inside,outside) tcp xxx.xxx.xxx.219 10052 192.168.100.153 10052

static (inside,outside) tcp xxx.xxx.xxx.219 10053 192.168.100.153 10053

etc.. for all the ports allowed to 192.168.100.153


Jon

ronwoods Mon, 01/18/2010 - 11:41
User Badges:

I guess this is what I was trying to avoid.... I figured there was a way to do it for each port needed with a static command, but you are saying there is no way to do this using a group command? So we will have to make an entry for each port required correct?  Thanks again for your help on this Jon!

Actions

This Discussion