ACL / NAT Order of Operation

GRANT3779 · ‎02-16-2015

Hi All,

Scenario - I have an ACL on ASA Outside Interface. Inbound. So from Out to In.

I have a server sitting in my LAN behind the ASA and a static NAT setup for it.

Example Addresses

Inside Server Address - 10.10.10.10
Public Nat'd address - 1.1.1.1

When allowing www access to the server from Outside to In, would you use the Inside address or Outside address of the server?, e.g does NAT happen before ACL processing.

e.g. - permit tcp any4 host 10.10.10.10 eq www

or
permit tcp any4 host 1.1.1.1 eq www

Thanks

Marvin Rhoads · ‎02-16-2015

Generally speaking, input interface ACL processing happens before NAT in an ASA. (Reference this support document.)

However, when building an ACL on an ASA, whether you use the real address or public address depends on the version of ASA software. Pre 8.3 uses the public address. 8.3+ uses the real IP address.

Marius Gunnerud · ‎02-16-2015

Just to elaborate a little on what Marvin has said. In 8.3 and later the ACL and NAT are, for lack of a better work, integrated. So when an initial packet arrives at the ASA interface the ASA (and after it has checked for existing connections) checks the xlate table to see what the private IP is translated to the public IP and then matches that private IP against the interface ACL.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

GRANT3779 · ‎02-17-2015

Thanks Guys.Appreciate the info