topic Hi Ronaldo,The flow on ASA in Network Security

NAT 8.4 question

Rolando Valenzuela — Tue, 12 Mar 2019 08:06:22 GMT

Hello community!
According to firewall migration tool that cisco provides (https://fwm.cisco.com) I need to this the following change:

##### 8.2 code #####
static (inside,outside) tcp 50.50.50.50 https 10.34.4.11 32030 netmask 255.255.255.255
!
access-list outside extended permit tcp object-group public-ips host 50.50.50.50 eq https

##### 8.4 code #####
object network obj-10.34.4.11-48
host 10.34.4.11
nat (inside,outside) static 50.50.50.50 service tcp 32030 https
!
access-list outside remark Migration, ACE (line 671) expanded: permit tcp object-group public-ips host 50.50.50.50
access-list outside extended permit tcp 60.60.60.60 255.255.255.252 host 10.34.4.11 eq 32030
access-list outside extended permit tcp 70.70.70.0 255.255.255.0 host 10.34.4.11 eq 32030
access-list outside extended permit tcp 80.80.80.0 255.255.255.0 host 10.34.4.11 eq 32030
access-list outside extended permit tcp 90.90.90.0 255.255.255.0 host 10.34.4.11 eq 32030
access-list outside remark Migration: End of expansion

I know that the practice now is to uses the private IP on the inside and outside interface for consistency, but it will still work with the ACL used on 8.2 code, right?

Thanks!

Rolando A. Valenzuela

Bump

Rolando Valenzuela — Tue, 09 Aug 2016 17:00:57 GMT

Bump

anyone? :( after some testing

Rolando Valenzuela — Wed, 24 Aug 2016 13:03:07 GMT

anyone? 😞 after some testing I believe it will not work 😞 is there a workaround?

Thank you!

Hi Ronaldo,The flow on ASA

pradypan — Thu, 25 Aug 2016 08:17:48 GMT

Hi Ronaldo,

The flow on ASA has been changed post 8.3 where NAT untranslation for destination happens before it check for the access rules. Thus the access rule applied on 8.2 won't help.

In 8.2 we do allow flow coming from outside to inside over Public (Mapped) IP since the access rules do match first and then NAT untranslation happens. But post 8.3, you need to create a rule on Real IP address and not on Mapped IP address to allow the flow.

Please refer the below document to understand the flow pre and post 8.3.

https://learningnetwork.cisco.com/thread/46543

Regards
Pradyumna

I am not much expert in it

Pawan Raut — Thu, 25 Aug 2016 12:06:44 GMT

I am not much expert in it but I did recent Migration of many ASA 8.2 to 8.4 above and as per my experienced we need Internal Private IP address in ACLs and not the natted one. So your 8.4 nat and acl looks good to me.

Regards,

Pawan (CCIE 52104)

Thank you both!

Rolando Valenzuela — Thu, 25 Aug 2016 14:40:46 GMT

Thank you both!

Pradypan, regarding the flow, after a lot of testing I find out that the ACLs used by crypto maps need the mapped IP 😞 and not the real one (if no nat is allowed) so that kinds of mess all my configuration making this migration harder for me.

Thanks for the the documentation.

Regards.

Hello Rolando,

ccorreap — Thu, 25 Aug 2016 20:01:54 GMT

Hello Rolando,

Just as Pradypan stated, in 8.3 and up the flow changed and now NAT takes precedence over ACL look up, hence the need to reference the real IP address. Also it should be noted that when upgrading from 8.2 to 8.4.7 the ASA takes care of the migration process and changes the ACLs and NAT statement as needed.

Curiously the crypto map config does not change from one version to another so it should be the same on both version.

Regards,