ASA access policy/ NAT behavior from same subnet

NeGi00000 · ‎06-07-2016

Hello,

Will an ASA's (v9.4) access policy apply when connecting to a NAT'd address from the same subnet?

I.e. Source = 192.168.10.5; Destination = 192.168.10.10 (NAT rule on firewall - physical addr 192.168.200.10).

Thanks!

jagraaga · ‎06-07-2016

Hi,

Do you mean if the access-list will work for the intra-interface traffic, which means that the ingress and egress interface is same on ASA?

Regards,

Jagrati

NeGi00000 · ‎06-07-2016

Hi - No, I believe this would be inter-interface.

E.g. Traffic is ingress on eth0 (to use the example above, eth0 would have an addr of 192.168.10.1) and egress via eth1 (with an addr of 192.168.200.1).

Surely access rules must come into effect in this scenario as the packet is traversing both interfaces. It is a firewall after all, not a reverse proxy.

I would expect this if it was a routed connection (Source = 10.10.10.10), I'm just uncertain of the behavior when it's in the same subnet as the firewall interface (eth0).

jagraaga · ‎06-07-2016

To see how the traffic is going to flow via the ASA, you can use packet-tracer.

#packet-tracer input inside ip <source-ip> <source-port> <destination-ip> <destination-port> detailed

Try to check with the IPs and ports how the traffic is going through the ASA. This will give you a detailed view

Jagrati