05-04-2012 07:36 AM - edited 03-11-2019 04:02 PM
According to Cisco, MPF application inspection on the ASA is done AFTER network-address translation (and access-lists).
So a simple scenario like this
static (inside,outside) 192.168.1.2 65.100.100.1 netmask 255.255.255.255
access-list test extended permit tcp any host 65.100.100.1 eq http
class-map test_class
match access-list test
But what if I want to apply an inspection policy to outbound traffic that is being translated to the outside interface on the ASA?
This works fine with the default global policies, but what if I want to fine tune? DO I base the policy on the external (outside) address of the ASA?
That just doens't seem right
05-04-2012 09:34 AM
Nope, depends on the version that you are running. In what version are you?
Mike
05-04-2012 09:42 AM
This question would be for versions 7.2-8.2
When we get to 8.3, everything gets reversed for the access-lists, so it gets even more confusing. Before 8.3, an access-list applied to the external interface would act on the global (natted) address of internal servers. Now, it looks like the access-list acts on the private (unnatted) address through "real IP" and network-objects.
So I would imagine that class-map statements with access-list matches inside them would break upon upgrading the ASA: or at least it seems that way.
05-04-2012 10:06 AM
They will Migrate as well as the policies applied dont you worry.
If you want to apply an outbound policy, you can use the post NAT IP and apply it on the outside.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide