ASA 8.3 and Packet Flow

communication.boy · ‎08-13-2012

Packet flow on ASA 8.3 changed ?

In Earlier version 8.2 we used to put permit statment on mapped interface however in OS starting 8.3 access-list entries should have real address .

Example

Lan Server/Real ( 192.168.1.2 )

Outside IP/Mapped ( 202.202.202.202 )

Configured NAT

ASA 0S 8.2 and earlier

access-list outside_in extended permit ip host 4.2.2.2 host 202.202.202.202

ASA OS 8.3 and later

access-list outside_in extended permit ip host 4.2.2.2 host 192.168.1.2

In earlier OS packet used to come on outside interface after which ACL was checked , if the ACL permits traffic packets flows further for NAT process

In newer OS packet is coming to outside interface after which NAT is taking place , once the NAT is done mapped ip is changed to real ip and ASA checks for ACL . Dont you think in newer OS CPU will be used much because every packet with 202.202.202.202 is doing NAT while I have blocked all ip and allowed only 4.2.2.2 to access it ?

Karsten Iwen · ‎08-13-2012

You are right, with the change to the new NAT-model, there was also the change in the ACL that you mention. One benefit of the new model is that you have less to reconfigure if you change your ISP (and you don't have PI-addresses).

The CPU didn't change that much on my ASAs after upgrading from 8.2 to 8.3 and higher.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni