I'm testing upgrading an ASA from 8.2.5 to 8.4.4. During the the upgrade, it change all of my ACL host entries to objects. But I noticed that the keyword "host" is still a valid option when creating an ACL.
I'm trying to understand why this change is made during the migration.
From ASA 8.3 onwards, ACL applied to the outside interface for example the destination no longer use the mapped/translated address but the real address.
If you have NAT for an internal host to a public IP, with version 8.2 and lower, the ACL applied to the outside interface will say something like: permit tcp any host
From version 8.3 onwards, the ACL will say: permit tcp any host
All the NAT configuration also changes from version 8.3 onwards.
Here are all the changes from version 8.3 onwards (major changes being the NAT configuration and also ACL):
Hope that answers your question.
This has nothing to do with NAT rules. These were changes made to standard access-list rules.
Previously, it looked like this:
access-list acl_name extended permit tcp object-group obj_group_name host SERVER1 eq www
Now I get this:
object network SERVER1
description Created during name migration
access-list acl_name extended permit tcp object-group obj_group_name object SERVER1 eq www
Also, I noticed that it only did this if we had a name entry for the host. If the ACL included a "host 10.10.10.10", then that ACL was unchanged.
Yes, you are right. The host that has a "name" entry gets migrated to object.
Here is the URL for your reference:
Here is the full migration document to version 8.3 and above for your reference: