06-07-2016 03:46 AM - edited 03-12-2019 12:51 AM
Hello,
Will an ASA's (v9.4) access policy apply when connecting to a NAT'd address from the same subnet?
I.e. Source = 192.168.10.5; Destination = 192.168.10.10 (NAT rule on firewall - physical addr 192.168.200.10).
Thanks!
06-07-2016 04:50 AM
Hi,
Do you mean if the access-list will work for the intra-interface traffic, which means that the ingress and egress interface is same on ASA?
Regards,
Jagrati
06-07-2016 06:48 AM
Hi - No, I believe this would be inter-interface.
E.g. Traffic is ingress on eth0 (to use the example above, eth0 would have an addr of 192.168.10.1) and egress via eth1 (with an addr of 192.168.200.1).
Surely access rules must come into effect in this scenario as the packet is traversing both interfaces. It is a firewall after all, not a reverse proxy.
I would expect this if it was a routed connection (Source = 10.10.10.10), I'm just uncertain of the behavior when it's in the same subnet as the firewall interface (eth0).
06-07-2016 06:53 AM
To see how the traffic is going to flow via the ASA, you can use packet-tracer.
#packet-tracer input inside ip <source-ip> <source-port> <destination-ip> <destination-port> detailed
Try to check with the IPs and ports how the traffic is going through the ASA. This will give you a detailed view
Jagrati
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide