Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.4 Configuration Cleanup using Network and Service Objects

Hi,

As most of you know, firewall configurations can growth to be large and complex, making them hard to understand and difficult to change.

I have one firewall configuration running 8.4 which I want to cleanup using Network and Service Objects and Object-Groups. This ASA (8.4) has over 30 Web Server VM's deployed behind it each with the same basic configuration: one-to-one outside to inside IP address and port mapping (x.x.x.x:ftp to y.y.y.y:ftp, etc) using the following well known ports: FTP, 80, 443, 3389. 

Examples from my existing configuration:

object network Y.Y.Y.Y_FTP

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp ftp ftp

object network Y.Y.Y.Y_WWW

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp http http

object network Y.Y.Y.Y_HTTPS

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp 443 443

object network Y.Y.Y.Y_RDP

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp 3389 3389

access-list outside_in extended permit tcp any host y.y.y.66 eq ftp

access-list outside_in extended permit tcp any host y.y.y.66 eq www

access-list outside_in extended permit tcp any host y.y.y.66 eq 3389

access-list outside_in extended permit tcp any host y.y.y.66 eq 443

The above entries for each port have to be done each time a new VM is deployed behind this firewall.

Below are my proposed ACE and object-group service entries to clean up the configuration.

object-group service WWW_FTP

description HTTP FTP Access

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object tcp destination eq www

object-group service WWW_FTP_RDP

description WWW FTP RPD Access

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object tcp destination eq www 

service-object tcp destination eq 3389

object-group service WWW_FTP_RDP_SSH

description WWW FTP RDP SSH Access

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object tcp destination eq www

service-object tcp destination eq 443

service-object tcp destination eq 3389

object-group service RDP_SSH

description RDP SSH Access

service-object tcp destination eq 443

service-object tcp destination eq 3389

object-group service RDP_SSH_FTP

description RDP SSH FTP Access

service-object tcp destination eq 443

service-object tcp destination eq 3389

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

object-group service RDP_FTP

description RDP FTP Access

service-object tcp destination eq 3389

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

access-list outside_in extended permit object-group WWW_FTP_RPD any host Y.Y.Y.Y

access-list outside_in extended permit object-group WWW_FTP_RDP_SSH any host Y.Y.Y.Y

access-list outside_in extended permit object-group WWW_FTP any host Y.Y.Y.Y

access-list outside_in extended permit object-group RDP_FTP any host Y.Y.Y.Y

access-list outside_in extended permit object-group RDP_SSH_FTP any host Y.Y.Y.Y

access-list outside_in extended permit object-group RDP_SSH any host Y.Y.Y.Y

The challenge lies in how to consolidate object network entries below into something more condensed like the object-group service entries.

object network Y.Y.Y.Y_FTP

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp ftp ftp

object network Y.Y.Y.Y_WWW

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp http http

object network Y.Y.Y.Y_HTTPS

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp 443 443

object network Y.Y.Y.Y_RDP

host y.y.y.66

nat (inside,outside) static X.X.X.66 service tcp 3389 3389

Any help is greatly appreciated!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

ASA 8.4 Configuration Cleanup using Network and Service Objects

Hi,

I am afraid that the only part of the configuration you can really modify and make more condenced is the ACL configurations using the different "object-group" configurations.

Naturally you can also create an "object-group" for all the servers that need the same ports opened to again minimize the actual configurations lines in the CLI configuration.

However,

When it comes to the NAT configurations there is sadly no way to minimize the amount of configurations needed if you are using Static PAT (Port Forward) for the servers. There is no way at the moment to group ports for "nat" configurations.

My question to you is, do you have less public IP addresses at your disposal compared to the amount of different servers in your network behind the ASA?

If you have a dedicated public IP address for each server in the network then I would suggest using Static NAT instead of Static PAT. This is pretty much the only way that the NAT configuration amount could be minimized.

- Jouni

Super Bronze

Re: ASA 8.4 Configuration Cleanup using Network and Service Obje

Hi,

Yes, essentially each server would only have a single Static NAT configuration and the required ACL statement to open the services needed.

Basic format is

object network

  host

  nat (source-int,destination-int) static

In our customer environments if the customer has enough public IP addresses we use Static NAT always for this.

ACL should be used to control what traffic/service/port is allowed. I wouldnt use Static PAT as a means to control what connections are allowed. I would rather keep the NAT simple and use the ACL for the purpose which it was created for.

- Jouni

3 REPLIES
Super Bronze

ASA 8.4 Configuration Cleanup using Network and Service Objects

Hi,

I am afraid that the only part of the configuration you can really modify and make more condenced is the ACL configurations using the different "object-group" configurations.

Naturally you can also create an "object-group" for all the servers that need the same ports opened to again minimize the actual configurations lines in the CLI configuration.

However,

When it comes to the NAT configurations there is sadly no way to minimize the amount of configurations needed if you are using Static PAT (Port Forward) for the servers. There is no way at the moment to group ports for "nat" configurations.

My question to you is, do you have less public IP addresses at your disposal compared to the amount of different servers in your network behind the ASA?

If you have a dedicated public IP address for each server in the network then I would suggest using Static NAT instead of Static PAT. This is pretty much the only way that the NAT configuration amount could be minimized.

- Jouni

New Member

ASA 8.4 Configuration Cleanup using Network and Service Objects

Where I work, we have plenty of IPV4 addresses available but do not want to open any more ports than we have to. If we chance our mind, static NAT entries would look like:

object network Y.Y.Y.Y_66

host y.y.y.66

nat (inside,outside) static X.X.X.66

object network Y.Y.Y.Y_67

host y.y.y.67

nat (inside,outside) static X.X.X.67

Correct?

Thanks for your quick reply!

d

Super Bronze

Re: ASA 8.4 Configuration Cleanup using Network and Service Obje

Hi,

Yes, essentially each server would only have a single Static NAT configuration and the required ACL statement to open the services needed.

Basic format is

object network

  host

  nat (source-int,destination-int) static

In our customer environments if the customer has enough public IP addresses we use Static NAT always for this.

ACL should be used to control what traffic/service/port is allowed. I wouldnt use Static PAT as a means to control what connections are allowed. I would rather keep the NAT simple and use the ACL for the purpose which it was created for.

- Jouni

716
Views
5
Helpful
3
Replies