Quick Question folks...
I understand that in ASA 8.3 and higher ACLs do real ip addresses instead of NAT'ed addresses. My question is, if you still use NAT'ed addresses will it work?
Thanks in advance...
Solved! Go to Solution.
So that I'm clear, 8.3+ DOES NOT allow NAT'ed addresses to be used in ACLs to filter traffic?
So all ACLs will need to be rewritten and related objects (and/or groups) must be updated to reflect real addresses?
I know I may be beating a dead horse, but I just want to be certain going forward.
I agree with Collin, while performing software upgrade, automatic conversion tool will convert the configuration. And this could lead to configuration that is multiple times larger than current, and various objects will be automatically named the way you don't want them to be named. Also some corner cases will generate configuration that you perhaps will not be satisfied with.
That is why we always do an automatic config upgrade in lab, than revise and edit configuration, rename objects, delete parts we don't need, and design in lab configuration that best meets our both naming standards, and also other parts. For example going for a global ACL instead per-interface is a common step, because global ACL leads to much less administrative operations overhead than per-interface.
fw123test tool is of course used in lab to verify configuration we have prepared.