ASA 8.3 ACL denying access to DMZ

dylan.ebner · ‎03-07-2012

I am migrating an asa 5520 from 8.2 to 8.3 and after the migration the ACL's are blocking access to the DMZ. It looks like the NAT functions were migrated properly by the migration tool but now when I try to access devices in the DMZ the ACL is denying the traffic because my acls in 8.2 had the NATTED IP, not the real IP in the ACL. Now it looks like 8.3 is looking for the real IP and not the NATTED IP.

Here is an example:

Inside network: 172.24.0.0/24

DMZ server real IP: 1.1.1.1

DMZ server NAT IP 2.2.2.2

so, in 8.2 I would have an ACL on the inside interface that said permit 172.24.0.0/24 to 2.2.2.2 eq 80, 443.

This acl doesn't work in my 8.3 config because it wants:

permit 172.24.0.0/24 to 1.1.1.1 eq 80, 443.

Is this correct for 8.3 or are my NAT rules all messed up after the migration?

Thanks

Julio Carvajal · ‎03-07-2012

Hello Dylan,

That is 100 % correct. You are right.

Please read this, it will help you!.

https://supportforums.cisco.com/docs/DOC-12690

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jack samuel · ‎03-07-2012

hello dylan,

Below is the link for the release notes for 8.3, You will get most of the answers here,And ur thoughts are perfect,

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html

Thanks