cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1345
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA 8.3+ migration changes hosts to objects?

I'm testing upgrading an ASA from 8.2.5 to 8.4.4.  During the the upgrade, it change all of my ACL host entries to objects.  But I noticed that the keyword "host" is still a valid option when creating an ACL.

I'm trying to understand why this change is made during the migration.

Thank you.

Jason

3 REPLIES 3
Highlighted
Cisco Employee

From ASA 8.3 onwards, ACL applied to the outside interface for example the destination no longer use the mapped/translated address but the real address.

For example:

If you have NAT for an internal host to a public IP, with version 8.2 and lower, the ACL applied to the outside interface will say something like: permit tcp any host eq 80

From version 8.3 onwards, the ACL will say: permit tcp any host eq 80

All the NAT configuration also changes from version 8.3 onwards.

Here are all the changes from version 8.3 onwards (major changes being the NAT configuration and also ACL):

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp432043

Hope that answers your question.

Highlighted

This has nothing to do with NAT rules.  These were changes made to standard access-list rules.

Previously, it looked like this:

access-list acl_name extended permit tcp object-group obj_group_name host SERVER1 eq www

Now I get this:

object network SERVER1

host 1.1.1.1

description Created during name migration

access-list acl_name extended permit tcp object-group obj_group_name object SERVER1 eq www

Also, I noticed that it only did this if we had a name entry for the host.  If the ACL included a "host 10.10.10.10", then that ACL was unchanged.

Highlighted

Yes, you are right. The host that has a "name" entry gets migrated to object.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp106362

Here is the full migration document to version 8.3 and above for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Content for Community-Ad