Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1588
Views
0
Helpful
3
Replies

ASA 8.3+ migration changes hosts to objects?

jason.williams
Level 1
Level 1

‎09-25-2012 09:24 AM - edited ‎03-11-2019 04:58 PM

I'm testing upgrading an ASA from 8.2.5 to 8.4.4.  During the the upgrade, it change all of my ACL host entries to objects.  But I noticed that the keyword "host" is still a valid option when creating an ACL.

I'm trying to understand why this change is made during the migration.

Thank you.

Jason

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-25-2012 01:59 PM

From ASA 8.3 onwards, ACL applied to the outside interface for example the destination no longer use the mapped/translated address but the real address.

For example:

If you have NAT for an internal host to a public IP, with version 8.2 and lower, the ACL applied to the outside interface will say something like: permit tcp any host eq 80

From version 8.3 onwards, the ACL will say: permit tcp any host eq 80

All the NAT configuration also changes from version 8.3 onwards.

Here are all the changes from version 8.3 onwards (major changes being the NAT configuration and also ACL):

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp432043

Hope that answers your question.

0 Helpful

jason.williams
Level 1
Level 1
In response to Jennifer Halim

‎09-26-2012 05:30 AM

This has nothing to do with NAT rules.  These were changes made to standard access-list rules.

Previously, it looked like this:

access-list acl_name extended permit tcp object-group obj_group_name host SERVER1 eq www

Now I get this:

object network SERVER1

host 1.1.1.1

description Created during name migration

access-list acl_name extended permit tcp object-group obj_group_name object SERVER1 eq www

Also, I noticed that it only did this if we had a name entry for the host.  If the ACL included a "host 10.10.10.10", then that ACL was unchanged.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jason.williams

‎09-27-2012 07:58 AM

Yes, you are right. The host that has a "name" entry gets migrated to object.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp106362

Here is the full migration document to version 8.3 and above for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card