Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

static nat and service port groups

I need some help with opening ports on my ASA using firmware 9.1.2.

I read earlier today that I can create service groups and tie ports to those.  But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ? 

I have the ACL -

access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside

Can this statement

object network obj-ExchangeSever-smtp

nat (inside,outside) static interface service tcp smtp smtp

reference the service port groups instead? 

Thanks,

Andrew

Everyone's tags (6)
1 REPLY
Super Bronze

static nat and service port groups

Hi,

Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?

Well you can for example configure this kind of "object-group"

object-group service SERVER-PORTS

service-object tcp destination eq www

service-object tcp destination eq ftp

service-object tcp destination eq https

service-object icmp echo

access-list OUTSIDE-IN permit object-group SERVER-PORTS any object

The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)

I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?

You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.

Hope this helps

- Jouni

303
Views
0
Helpful
1
Replies
CreatePlease login to create content