I am attempting to translate some Cisco ASA firewall rules into a peplink balance 20x.
In the Cisco, I can have port object groups like so:
object-group service eware_tcp tcp
port-object eq 1969
port-object eq 1970
port-object eq 7801
port-object eq 3306
port-object eq 5900
port-object eq 5800
port-object eq 3085
port-object eq 9432
object-group service eware_udp udp
port-object eq 1969
port-object eq 3306
Combining port object groups with network object groups (similar enough to grouped networks in peplink), it can result in some really short rule lists that expand out into large rulesets:
access-list patron_in extended permit tcp object-group eware_clients object-group eware_servers object-group eware_tcp
access-list patron_in extended permit udp object-group eware_clients object-group eware_servers object-group eware_udp
Basically, permit UDP traffic from the set of clients to the set of servers on the set of udp ports. or TCP and tcp ports.
It looks like in peplink, for any ports that aren’t in a contiguous range, I have to make a unique rule per port. Considering I have 20+ locations with unique IP addressing, that’s a lot of work I am looking to avoid having to do.
So, is there a port grouping feature I am missing?
In the absence of such a feature, the only things I can think of to do are:
- do one rule per port per protocol and leverage grouped networks as extensively as possible
- do one rule per protocol (TCP/UDP) and do a port range that extends past the lowest and highest ports the service uses. This might be an acceptable compromise vs doing all the other work.
- take the lazy way out and permit all traffic from the source grouped network to the destination grouped network.
Thank you for your time,
Jim