cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


363
Views
0
Helpful
2
Replies
Beginner

ASA 8.3 ACL denying access to DMZ

I am migrating an asa 5520 from 8.2 to 8.3 and after the migration the ACL's are blocking access to the DMZ. It looks like the NAT functions were migrated properly by the migration tool but now when I try to access devices in the DMZ the ACL is denying the traffic because my acls in 8.2 had the NATTED IP, not the real IP in the ACL. Now it looks like 8.3 is looking for the real IP and not the NATTED IP.

Here is an example:

Inside network: 172.24.0.0/24

DMZ server real IP: 1.1.1.1

DMZ server NAT IP 2.2.2.2

so, in 8.2 I would have an ACL on the inside interface that said permit 172.24.0.0/24 to 2.2.2.2 eq 80, 443.

This acl doesn't work in my 8.3 config because it wants:

permit 172.24.0.0/24 to 1.1.1.1 eq 80, 443.

Is this correct for 8.3 or are my NAT rules all messed up after the migration?

Thanks

2 REPLIES 2

ASA 8.3 ACL denying access to DMZ

Hello Dylan,

That is 100 % correct. You are right.

Please read this, it will help you!.

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

ASA 8.3 ACL denying access to DMZ

hello dylan,

Below is the link for the release notes for 8.3, You will get most of the answers here,And  ur thoughts are perfect,

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html

Thanks

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here