topic ASA 8.3 real Ip address in ACL in Network Security

ASA 8.3 real Ip address in ACL

jmprats — Mon, 11 Mar 2019 22:14:58 GMT

if ASA 8.3 uses real IP address in ACL, why in this example "ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example" uses the public (natted) ip address for the smtp server ACL?

ASA 8.3 real Ip address in ACL

ajay chauhan — Mon, 16 Jan 2012 13:20:49 GMT

Whatever will be the SMTP server IP on internet will have to add that IP on outside ACL to allow on port 25. It could be NAT IP or Public IP as well.

Can you post the statement from configuration where you have doubt?

Thanks

Ajay

Re: ASA 8.3 real Ip address in ACL

jmprats — Mon, 16 Jan 2012 13:24:31 GMT

In the example:

access−list smtp extended permit tcp any host 209.164.3.5 eq smtp

object network obj−192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic 209.164.3.129

Why doesn't use the real ip address in the acl?

ASA 8.3 real Ip address in ACL

ajay chauhan — Mon, 16 Jan 2012 13:31:33 GMT

Ok.

That traffic is originated from inside hosts. You should focus on -

object network obj-192.168.2.57
host 192.168.2.57
nat (inside,outside) static 209.164.3.5

For your SMTP question SMTP server is mapped one to one NAT so public identity would be 209.164.3.5 so ofcourse that is allowed in ACL.

Regarding configuration you have post has nothing to do with SMTP server that have mentioned the whole subnet /24 for outbound traffic.

NAT has order to process - nonat >static nat > dynamic nat> static pat >dynamic pat > like this.

Hope this help.

Thanks

Ajay

ASA 8.3 real Ip address in ACL

jmprats — Tue, 17 Jan 2012 08:53:25 GMT

OK, sorry, of course, the smtp-server nat was:

object network obj−192.168.2.57

host 192.168.2.57

nat (inside,outside) static 209.164.3.5

But in the ACL is using public IP, not the real ip address as announces Release Notes or migration guide, which states:

"For example, formerly if you wanted to allow an outside host to access an inside host that used NAT, you

applied an inbound access list on the outside interface using the access-group command. In this

scenario, you needed to specify the mapped address of the inside host in the access list because that

address was the address that can be used on the outside network. Starting in 8.3, you need to specify the

real address in the access list."

In this Cisco Support Channel video (minute 3), the outside ACL uses the real ip address, not the public-natted one

http://www.youtube.com/watch?v=R6TMlH9U2pE&feature=plcp&context=C34bcf43UDOEgsToPDskINRv5_oXhrk7jRahbPD_Em

So my question is:

In the ACL, do I have to use the real ip (like the video) or the natted-ip (like the smtp example)?

Thanks

ASA 8.3 real Ip address in ACL

EliasTlou — Tue, 17 Jan 2012 09:01:54 GMT

Use real IP address:

e.g.

access−list smtp extended permit tcp any host 192.168.2.57 eq smtp

ASA 8.3 real Ip address in ACL

ajay chauhan — Tue, 17 Jan 2012 09:18:43 GMT

I agree !!

pre-8.3 Configuration

static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255

access-list outside_in extended permit tcp any host 209.165.201.15

access-group outside_in in interface outside

8.3 Configuration

object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 209.165.201.15

access-list outside_in extended permit tcp any host 10.1.1.6

access-group outside_in in interface outside