cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

239
Views
5
Helpful
4
Replies
Highlighted
Rising star

ASA 8.3+ ACLs

Quick Question folks...

I understand that in ASA 8.3 and higher ACLs do real ip addresses instead of NAT'ed addresses.  My question is, if you still use NAT'ed addresses will it work?

Thanks in advance...

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advisor

That is correct. If you're

That is correct. If you're upgrading pre 8.3 to 8.3 or greater, that conversion will happen for you. But going forward, yes you will need to use the real IP in ACL's 

View solution in original post

4 REPLIES 4
Highlighted
Advisor

It will not.

It will not.

Highlighted
Rising star

So that I'm clear, 8.3+ DOES

So that I'm clear, 8.3+ DOES NOT allow NAT'ed addresses to be used in ACLs to filter traffic?

So all ACLs will need to be rewritten and related objects (and/or groups) must be updated to reflect real addresses?

I know I may be beating a dead horse, but I just want to be certain going forward.

Highlighted
Advisor

That is correct. If you're

That is correct. If you're upgrading pre 8.3 to 8.3 or greater, that conversion will happen for you. But going forward, yes you will need to use the real IP in ACL's 

View solution in original post

Highlighted
Beginner

I agree with Collin, while

I agree with Collin, while performing software upgrade, automatic conversion tool will convert the configuration. And this could lead to configuration that is multiple times larger than current, and various objects will be automatically named the way you don't want them to be named. Also some corner cases will generate configuration that you perhaps will not be satisfied with.

That is why we always do an automatic config upgrade in lab, than revise and edit configuration, rename objects, delete parts we don't need, and design in lab configuration that best meets our both naming standards, and also other parts. For example going for a global ACL instead per-interface is a common step, because global ACL leads to much less administrative operations overhead than per-interface.

fw123test tool is of course used in lab to verify configuration we have prepared.