topic ASA access policy/ NAT behavior from same subnet in Network Security

ASA access policy/ NAT behavior from same subnet

NeGi00000 — Tue, 12 Mar 2019 07:51:19 GMT

Hello,

Will an ASA's (v9.4) access policy apply when connecting to a NAT'd address from the same subnet?

I.e. Source = 192.168.10.5; Destination = 192.168.10.10 (NAT rule on firewall - physical addr 192.168.200.10).

Thanks!

Hi,

jagraaga — Tue, 07 Jun 2016 11:50:54 GMT

Hi,

Do you mean if the access-list will work for the intra-interface traffic, which means that the ingress and egress interface is same on ASA?

Regards,

Jagrati

Hi - No, I believe this would

NeGi00000 — Tue, 07 Jun 2016 13:48:58 GMT

Hi - No, I believe this would be inter-interface.

E.g. Traffic is ingress on eth0 (to use the example above, eth0 would have an addr of 192.168.10.1) and egress via eth1 (with an addr of 192.168.200.1).

Surely access rules must come into effect in this scenario as the packet is traversing both interfaces. It is a firewall after all, not a reverse proxy.

I would expect this if it was a routed connection (Source = 10.10.10.10), I'm just uncertain of the behavior when it's in the same subnet as the firewall interface (eth0).

To see how the traffic is

jagraaga — Tue, 07 Jun 2016 13:53:32 GMT

To see how the traffic is going to flow via the ASA, you can use packet-tracer.

#packet-tracer input inside ip <source-ip> <source-port> <destination-ip> <destination-port> detailed

Try to check with the IPs and ports how the traffic is going through the ASA. This will give you a detailed view

Jagrati