05-18-2012 05:38 AM - edited 03-11-2019 04:08 PM
I have not yet caught up to speed on ASA 8.3 changes and came across the below working ACL on an ASA running 8.3. The ACL is applied inbound to an Internet facing publicly addressed interface. At this point the destination IP in the packet will not be 192.168.0.41 but the ASA outside public IP. My understanding was that ACL's were processed firstly then NAT. The fact that this rule works implies things have changed?
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 192.168.0.41 eq 54321
Regards,
Kent.
Solved! Go to Solution.
05-18-2012 05:43 AM
Here is the release notes for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665
(check out: Firewall Features section: Use of Real IP addresses in access lists instead of translated addresses)
05-18-2012 05:42 AM
Absolutely correct.
From version 8.3 and later, ACL has changed where by ACL applied inbound on the Internet facing interface will have destination of the real IP (private IP).
05-18-2012 05:43 AM
Here is the release notes for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665
(check out: Firewall Features section: Use of Real IP addresses in access lists instead of translated addresses)
05-18-2012 05:53 AM
A pretty good move. Im not so sure about the object based NAT setup but Im sure I'll get used to it.
Thanks for the tip.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide