Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2185
Views
0
Helpful
4
Replies

ASA 9.1 Access-list , real IP addresses

Go to solution
DannyHuston
Level 1
Level 1

‎02-27-2013 12:25 PM - edited ‎03-11-2019 06:07 PM

So in the past from 8.2 down I had one to one NATs like so

static (inside,outside) A.A.A.A B.B.B.B netmask 255.255.255.255

but for 9.1 im running now I need to do this

object network obj-B.B.B.B

  host B.B.B.B

  nat (inside,outside) static A.A.A.A

So if I make an ACL to permit outside public access to the public IP (A.A.A.A) in 9.1 do I use real B.B.B.B ip address or the object itself obj-B.B.B.B?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to DannyHuston

‎02-27-2013 12:54 PM

Hi,

For example

object network SERVER

host 10.10.10.10

nat (inside,outside) static 1.2.3.4

access-list OUTSIDE-IN permit tcp any object SERVER eq www

OR

access-list OUTSIDE-IN permit tcp any host 10.10.10.10 eq www

Where

  • SERVER = Name of the object under which the Real IP and its NAT is defined
  • 10.10.10.10 = Real IP of the server
  • 1.2.3.4 = Public (NAT) IP of the server

So you always open the port/service to the Real IP address of the destination even if there is a NAT configured for it.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2013 12:29 PM

Hi,

Yes, thats pretty much it.

You always make the rules using the Real IP address. I tend to use the "object" in the ACLs. In certain situations I might group several "object" under an "object-group" and use the "object-group"

This way of creating rules is basicly because the ACL and NAT are gone through in different order compared to the "older" softwares.

- Jouni

0 Helpful

Go to solution
DannyHuston
Level 1
Level 1
In response to Jouni Forss

‎02-27-2013 12:44 PM

Ok just to confirm I do

access-list outside_access_in_1 extended permit tcp any object obj-B.B.B.B

or

access-list outside_access_in_1 extended permit tcp any object B.B.B.B


Either one will work?  Even if the access is meant to go to its public NAT A.A.A.A
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to DannyHuston

‎02-27-2013 12:54 PM

Hi,

For example

object network SERVER

host 10.10.10.10

nat (inside,outside) static 1.2.3.4

access-list OUTSIDE-IN permit tcp any object SERVER eq www

OR

access-list OUTSIDE-IN permit tcp any host 10.10.10.10 eq www

Where

  • SERVER = Name of the object under which the Real IP and its NAT is defined
  • 10.10.10.10 = Real IP of the server
  • 1.2.3.4 = Public (NAT) IP of the server

So you always open the port/service to the Real IP address of the destination even if there is a NAT configured for it.

- Jouni

0 Helpful

Go to solution
DannyHuston
Level 1
Level 1
In response to Jouni Forss

‎02-27-2013 12:59 PM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card