ASA5505 :: Access-list permit public ip on port list (not range)

Question

This is likely a common issue, but cannot find a solution.

Here's the problem: in web server environment there are a set of common ports that need to be open, to name a few: 21,25,53,80,110,143,3306, etc.

I know how to create an access-list to allow an external ip on a given port and a static rule to direct port traffic to target internal ip. However, man, that is a lot of drudgery doing single ip + single port rules when you have 15 public IPs all of which need the exact same 20-odd ports open.

Is there a way to per public ip specify an access-list of ports and a corresponding static rule?? Basically I'd like to pull this off in 30 lines ( 15 public ips X (1 access-list + 1 static) ) vs 600!

Ideas much appreciated (in this case, obviously) ;-)

Answer 1

You can use static to map IPs 1-to-1. Like this:

static (inside,outside) 1.2.3.1 192.168.0.1 netmask 255.255.255.255
static (inside,outside) 1.2.3.2 192.168.0.2 netmask 255.255.255.255
static (inside,outside) 1.2.3.3 192.168.0.3 netmask 255.255.255.255

_{(These could be condensed if the mapping is in order like the example)}

Then have a single access list such as:

access-list Outside_In ext permit tcp any any eq 21
access-list Outside_In ext permit tcp any any eq 25
access-list Outside_In ext permit tcp any any eq 53

access-group Outside_In in int Outside

Warning! This will open all the ports to all mapped IPs. If all your servers need these ports anyway, then it's a much quicker configuration.

_{(Obviously change names of things as is appropriate for your site)}

Answer 2

Ok for the access list you can use object-groups to make lump them in together.

object-group network TAG
 network-object 192.168.1.2 255.255.255.255
 network-object 192.168.1.3 255.255.255.255
 network-object 192.168.1.4 255.255.255.255
 network-object 192.168.1.5 255.255.255.255

object-group protocol PROTO_TAG
 protocol-object tcp 80

access-list NAT_ME permit ip object-group TAG eq object-group PROTO_TAG 

static (outside,inside) IP access-list NAT_ME

Fair warning I have not tested this on anything. It's what the documentation says should work.

Answer 3

Object groups are your friend here. Assuming a worst case scenario where your public address block is non contiguous and there is not a direct subnet mapping onto your private subnet, and that your outside access list has the default name of outside_access_in you'll need a configuration along the lines of...

object-group network my-servers_pub
network-object host 1.1.1.1
network-object host 1.1.1.3
network-object host 1.1.1.5
...etc
...etc
network-object host 1.1.1.13
network-object host 1.1.1.15

object-group service my-tcp-ports tcp
port-object eq 21
port-object eq 25
port-object eq 80
port-object eq 110
port-object eq 143
port-object eq 3306

object-group service my-udp-ports udp
port-object eq 53

static (inside,outside) 1.1.1.1 192.168.1.2
static (inside,outside) 1.1.1.3 192.168.1.4
static (inside,outside) 1.1.1.5 192.168.1.7
...etc
...etc
static (inside,outside) 1.1.1.13 192.168.1.14
static (inside,outside) 1.1.1.15 192.168.1.16

access-list outside_access_in permit tcp any object-group my-servers_pub object-group my-tcp-ports
access-list outside_access_in permit udp any object-group my-servers_pub object-group my-udp-ports

I should caveat that this configuration will need some tweaking to work on ASA version 8.3 and above due to some significant changes Cisco have made around natting.

If you're lucky enough to have contiguous public address space, and a 1:1 host mapping you can condense down the object groups & statics into subnets:

object-group network my-servers_pub
network-object 1.1.1.0 255.255.255.240

static (inside,outside) 1.1.1.0 192.168.1.0 netmask 255.255.255.240

You wouldn't even really need the object group for your outside hosts in this scenario, but i've done it that way just to keep it consistent.