https://community.cisco.com/t5/network-security/tricky-acl-issue/m-p/1910281#M458773 <HTML><HEAD></HEAD><BODY><P>As I understannd</P><P></P><P></P><P>Server---------ASA-------------Internet-------------------user</P><P></P><P>If you have NAT-control enabled on the ASA it needs a NAT configured for the inside server to be accessible from outside.</P><P>if the private ip is 1.1.1.1 and public ip is 10.10.10.10 and you have the following configuration</P><P></P><P>statis (inside,outside) 10.10.10.10 1.1.1.1 netmask 255.255.255.255</P><P>access-list outside permit ip any host 10.10.10.10</P><P>access-group outside in interface outside</P><P></P><P></P><P>With the above configuration users can access the server only on the public ip address on outside and will not be able to access the private ip address at all. This is the default behavior of the ASA.</P><P></P><P>You do not need any other outbound ACL on the outside interface <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Sachin</P></BODY></HTML> Wed, 07 Mar 2012 08:26:42 GMT svaish 2012-03-07T08:26:42Z https://community.cisco.com/t5/network-security/tricky-acl-issue/m-p/1910280#M458772 <P>Hi Guys, </P><P>facing an issue here and need some expert knowhow....</P><P></P><P>I have several interfaces on my ASA&nbsp; that is also connected with S2S&nbsp; to the HQ office...</P><P></P><P>i have 3 /24 subnets heavily subneted inbetween interfaces and have a collapsed core as well so anything other than playing with ACLs is out of the question.</P><P></P><P></P><P>so&nbsp; subnet in question&nbsp; attached to one of ASAs interfaces (nameif:public_NAT) and has&nbsp; a 10.y.x.z/29&nbsp; address&nbsp; (private)&nbsp; i have 3 servers on it.&nbsp; I use static 1-1 NAT&nbsp; to each server from the&nbsp; external range that i have with my ISP (cant route it in as ISP is being ...@#$@D#F).</P><P>now the requirement i have is to allow&nbsp; access to all 3 servers but only by using their external globally routed NATs. and block any access to their private IP addresses.</P><P></P><P>question is:&nbsp; can i use&nbsp; an "outbound" ACL&nbsp; on the&nbsp; public_NAT&nbsp; interface&nbsp; saying - deny ip&nbsp; any&nbsp; to private ip addresses of the servers inside that subnet.</P><P>and then allow&nbsp; on other interfaces to the external IPs residing on the WAN interface of the firewall ?</P><P>also&nbsp; with S2S if that&nbsp; subnet is a part of larger encryption domain&nbsp; is my only choice will be to remove that /29 subnet from the encr. domain ACL ?</P> Mon, 11 Mar 2019 22:35:41 GMT https://community.cisco.com/t5/network-security/tricky-acl-issue/m-p/1910280#M458772 Leon Khanan 2019-03-11T22:35:41Z https://community.cisco.com/t5/network-security/tricky-acl-issue/m-p/1910281#M458773 <HTML><HEAD></HEAD><BODY><P>As I understannd</P><P></P><P></P><P>Server---------ASA-------------Internet-------------------user</P><P></P><P>If you have NAT-control enabled on the ASA it needs a NAT configured for the inside server to be accessible from outside.</P><P>if the private ip is 1.1.1.1 and public ip is 10.10.10.10 and you have the following configuration</P><P></P><P>statis (inside,outside) 10.10.10.10 1.1.1.1 netmask 255.255.255.255</P><P>access-list outside permit ip any host 10.10.10.10</P><P>access-group outside in interface outside</P><P></P><P></P><P>With the above configuration users can access the server only on the public ip address on outside and will not be able to access the private ip address at all. This is the default behavior of the ASA.</P><P></P><P>You do not need any other outbound ACL on the outside interface <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Sachin</P></BODY></HTML> Wed, 07 Mar 2012 08:26:42 GMT https://community.cisco.com/t5/network-security/tricky-acl-issue/m-p/1910281#M458773 svaish 2012-03-07T08:26:42Z https://community.cisco.com/t5/network-security/tricky-acl-issue/m-p/1910282#M458777 <HTML><HEAD></HEAD><BODY><P>hmm i thought on new ASAs above 8.3 NAT comes first... and if so then the ACL on the outside wont see the external IP...</P><P>also how will that make my LAN users use the external IP addresses and not just intervlan ?</P></BODY></HTML> Wed, 07 Mar 2012 15:32:53 GMT https://community.cisco.com/t5/network-security/tricky-acl-issue/m-p/1910282#M458777 Leon Khanan 2012-03-07T15:32:53Z