Solved: ASA 8.3+ ACLs

Antonio Knox · ‎02-04-2015

Quick Question folks...

I understand that in ASA 8.3 and higher ACLs do real ip addresses instead of NAT'ed addresses. My question is, if you still use NAT'ed addresses will it work?

Thanks in advance...

Collin Clark · ‎02-20-2015

That is correct. If you're upgrading pre 8.3 to 8.3 or greater, that conversion will happen for you. But going forward, yes you will need to use the real IP in ACL's

View solution in original post

Collin Clark · ‎02-04-2015

It will not.

Antonio Knox · ‎02-20-2015

So that I'm clear, 8.3+ DOES NOT allow NAT'ed addresses to be used in ACLs to filter traffic?

So all ACLs will need to be rewritten and related objects (and/or groups) must be updated to reflect real addresses?

I know I may be beating a dead horse, but I just want to be certain going forward.

Collin Clark · ‎02-20-2015

That is correct. If you're upgrading pre 8.3 to 8.3 or greater, that conversion will happen for you. But going forward, yes you will need to use the real IP in ACL's

Milan Mesic · ‎02-22-2015

I agree with Collin, while performing software upgrade, automatic conversion tool will convert the configuration. And this could lead to configuration that is multiple times larger than current, and various objects will be automatically named the way you don't want them to be named. Also some corner cases will generate configuration that you perhaps will not be satisfied with.

That is why we always do an automatic config upgrade in lab, than revise and edit configuration, rename objects, delete parts we don't need, and design in lab configuration that best meets our both naming standards, and also other parts. For example going for a global ACL instead per-interface is a common step, because global ACL leads to much less administrative operations overhead than per-interface.

fw123test tool is of course used in lab to verify configuration we have prepared.