cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1452
Views
0
Helpful
3
Replies

ASA 8.3+ migration changes hosts to objects?

jason.williams
Beginner
Beginner

I'm testing upgrading an ASA from 8.2.5 to 8.4.4.  During the the upgrade, it change all of my ACL host entries to objects.  But I noticed that the keyword "host" is still a valid option when creating an ACL.

I'm trying to understand why this change is made during the migration.

Thank you.

Jason

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

From ASA 8.3 onwards, ACL applied to the outside interface for example the destination no longer use the mapped/translated address but the real address.

For example:

If you have NAT for an internal host to a public IP, with version 8.2 and lower, the ACL applied to the outside interface will say something like: permit tcp any host eq 80

From version 8.3 onwards, the ACL will say: permit tcp any host eq 80

All the NAT configuration also changes from version 8.3 onwards.

Here are all the changes from version 8.3 onwards (major changes being the NAT configuration and also ACL):

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp432043

Hope that answers your question.

This has nothing to do with NAT rules.  These were changes made to standard access-list rules.

Previously, it looked like this:

access-list acl_name extended permit tcp object-group obj_group_name host SERVER1 eq www

Now I get this:

object network SERVER1

host 1.1.1.1

description Created during name migration

access-list acl_name extended permit tcp object-group obj_group_name object SERVER1 eq www

Also, I noticed that it only did this if we had a name entry for the host.  If the ACL included a "host 10.10.10.10", then that ACL was unchanged.

Yes, you are right. The host that has a "name" entry gets migrated to object.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp106362

Here is the full migration document to version 8.3 and above for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: