cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1265
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA 8.3+ migration changes hosts to objects?

I'm testing upgrading an ASA from 8.2.5 to 8.4.4.  During the the upgrade, it change all of my ACL host entries to objects.  But I noticed that the keyword "host" is still a valid option when creating an ACL.

I'm trying to understand why this change is made during the migration.

Thank you.

Jason

Everyone's tags (5)
3 REPLIES 3
Cisco Employee

ASA 8.3+ migration changes hosts to objects?

From ASA 8.3 onwards, ACL applied to the outside interface for example the destination no longer use the mapped/translated address but the real address.

For example:

If you have NAT for an internal host to a public IP, with version 8.2 and lower, the ACL applied to the outside interface will say something like: permit tcp any host eq 80

From version 8.3 onwards, the ACL will say: permit tcp any host eq 80

All the NAT configuration also changes from version 8.3 onwards.

Here are all the changes from version 8.3 onwards (major changes being the NAT configuration and also ACL):

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp432043

Hope that answers your question.

Beginner

ASA 8.3+ migration changes hosts to objects?

This has nothing to do with NAT rules.  These were changes made to standard access-list rules.

Previously, it looked like this:

access-list acl_name extended permit tcp object-group obj_group_name host SERVER1 eq www

Now I get this:

object network SERVER1

host 1.1.1.1

description Created during name migration

access-list acl_name extended permit tcp object-group obj_group_name object SERVER1 eq www

Also, I noticed that it only did this if we had a name entry for the host.  If the ACL included a "host 10.10.10.10", then that ACL was unchanged.

Cisco Employee

ASA 8.3+ migration changes hosts to objects?

Yes, you are right. The host that has a "name" entry gets migrated to object.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp106362

Here is the full migration document to version 8.3 and above for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html