topic Re: [ASA] How does a control-plane ACL treat interface NAT traffic in Network Security

[ASA] How does a control-plane ACL treat interface NAT

guacamoley — Tue, 27 Feb 2024 15:50:50 GMT

In the documentation, I can see a control-plane ACL will permit/deny traffic towards the ASA itself, which is typically control plane, will this extend to nat traffic towards the device?

Edit: What would the security risks be if this was opened up to any any? I presume your device could easily be ddos'd, ssh tunneled, and compromised in many other ways.

Re: [ASA] How does a control-plane ACL treat interface NAT traffic

MHM Cisco World — Fri, 16 Feb 2024 05:18:08 GMT

The NAT in router or in ASA need traffic pass boundary

This boundary is between two Interface

In case of ACL control plane the traffic direct to ASA interface so it not pass any ASA boundary.

MHM

Re: [ASA] How does a control-plane ACL treat interface NAT traffic

tvotna — Fri, 16 Feb 2024 13:15:07 GMT

Technically, control-plane ACL programs accelerated security path table to control traffic between "outside" and "identity" interface as shown below, while regular ACL programs it between "outside" and "any" (all) interfaces, where "any" doesn't include identity. Hence, those two ACLs are independent from each other.

ASA# sh run access-group
access-group outside_in in interface outside control-plane
access-group outside_in in interface outside

ASA# show access-list outside_in
access-list outside_in; 10 elements; name hash: 0xc5896c24
access-list outside_in line 2 extended permit tcp xxx.xxx.147.0 255.255.255.0 host yyy.yyy.98.134 eq https (hitcnt=52) 0x567d10d1

ASA# show asp table classify domain permit match xxx.xxx.147.0
Input Table
in  id=0x7fc45a1bdba0, priority=120, domain=permit, deny=false
        hits=52, user_data=0x7fc14c8dac80, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=identity
in  id=0x7fc14c75a950, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fc14e36c880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=any

Re: [ASA] How does a control-plane ACL treat interface NAT traffic

guacamoley — Fri, 16 Feb 2024 13:37:15 GMT

that's really helpful actually - so there is a logical interface called "identity" in the ASA. Will that always match the IP that is specified in the initial command? (in your case it was "in interface outside control-plane". So I imagine the .98.134 address was the outside's interface?

Re: [ASA] How does a control-plane ACL treat interface NAT traffic

MHM Cisco World — Fri, 16 Feb 2024 13:55:31 GMT

Why we need to know NAT IP if we want to config ACL?

To know which one we use real IP or mapped IP

In acl control the traffic not hit NAT

So we always use real IP.

@tvotna identity is not related to NAT traffic' it use only for service policy.

Why you misleading him?

MHM

Re: [ASA] How does a control-plane ACL treat interface NAT traffic

tvotna — Fri, 16 Feb 2024 14:38:40 GMT

Correct.

Re: [ASA] How does a control-plane ACL treat interface NAT traffic

tvotna — Fri, 16 Feb 2024 14:39:41 GMT

You're wrong or don't understand what I'm talking about.

Re: [ASA] How does a control-plane ACL treat interface NAT traffic

MHM Cisco World — Fri, 16 Feb 2024 14:45:48 GMT

Yes please share how we can use identity logical interface for NAT,
I will so surprise to see this new config
waiting your reply
thanks

MHM