I have inherited a very old and very ugly ASA firewall policy. I'm more of a Checkpoint firewall engineer but do have some basic Cisco knowledge and have been muddling through on the CLI as best I can until we can get this site to our corporate standards.
That said, we have recently deployed a proxy server/content filter for internet browsing and due to the positioning of this, we have had to implement a rather large nat0 ACL so that browser traffic gets sent (via WCCP managed on the internet router, one step beyond the ASA outbound), it is not NAT'd. While this works fine in most cases, its obviously problematic in a few situations (such as any service other than http/https still needing a public NAT for traversing the internet. Currently this is handled via overload addresses on the Internet router).
My critical/immediate issue right now is that I've got an entry in the nat0 ACL for a /24 internal network, but I need to essentially override that for a single IP within that /24 network range so that this one particular source IP gets a specific public NAT when traversing the internet.
I guess what I'm looking for is some kind of ACL I can write for a specific host which would be 'more specific' and therefore take precedent over the nat0 ACL for the /24 network? Or does the nat0 ACL 'trump all other ACLs' ?
Any help is appreciated. Note that upgrading this ASA code is kind of out of the question at this time.
Community Live Event Video
Are you ready to level up your security? Learn more about how Cisco SecureX can help you simplify your security and maximize operational efficiency.
This event talks about Cisco SecureX, its benefits, features, and usage. Th...
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....