Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
2
Helpful
7
Replies

[ASA] How does a control-plane ACL treat interface NAT

Go to solution
guacamoley
Level 1
Level 1

‎02-15-2024 04:37 PM - edited ‎02-27-2024 07:50 AM

In the documentation, I can see a control-plane ACL will permit/deny traffic towards the ASA itself, which is typically control plane, will this extend to nat traffic towards the device?

 

Edit: What would the security risks be if this was opened up to any any? I presume your device could easily be ddos'd, ssh tunneled, and compromised in many other ways. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎02-16-2024 05:15 AM

Technically, control-plane ACL programs accelerated security path table to control traffic between "outside" and "identity" interface as shown below, while regular ACL programs it between "outside" and "any" (all) interfaces, where "any" doesn't include identity. Hence, those two ACLs are independent from each other.

 

ASA# sh run access-group
access-group outside_in in interface outside control-plane
access-group outside_in in interface outside

ASA# show access-list outside_in
access-list outside_in; 10 elements; name hash: 0xc5896c24
access-list outside_in line 2 extended permit tcp xxx.xxx.147.0 255.255.255.0 host yyy.yyy.98.134 eq https (hitcnt=52) 0x567d10d1

ASA# show asp table classify domain permit match xxx.xxx.147.0
Input Table
in  id=0x7fc45a1bdba0, priority=120, domain=permit, deny=false
        hits=52, user_data=0x7fc14c8dac80, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=identity
in  id=0x7fc14c75a950, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fc14e36c880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=any

 

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎02-15-2024 09:18 PM

The NAT in router or in ASA need traffic pass boundary 

This boundary is between two Interface

In case of ACL control plane the traffic direct to ASA interface so it not pass any ASA boundary.

MHM

Go to solution
tvotna
Spotlight
Spotlight

‎02-16-2024 05:15 AM

Technically, control-plane ACL programs accelerated security path table to control traffic between "outside" and "identity" interface as shown below, while regular ACL programs it between "outside" and "any" (all) interfaces, where "any" doesn't include identity. Hence, those two ACLs are independent from each other.

 

ASA# sh run access-group
access-group outside_in in interface outside control-plane
access-group outside_in in interface outside

ASA# show access-list outside_in
access-list outside_in; 10 elements; name hash: 0xc5896c24
access-list outside_in line 2 extended permit tcp xxx.xxx.147.0 255.255.255.0 host yyy.yyy.98.134 eq https (hitcnt=52) 0x567d10d1

ASA# show asp table classify domain permit match xxx.xxx.147.0
Input Table
in  id=0x7fc45a1bdba0, priority=120, domain=permit, deny=false
        hits=52, user_data=0x7fc14c8dac80, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=identity
in  id=0x7fc14c75a950, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fc14e36c880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=any

 

Go to solution
guacamoley
Level 1
Level 1
In response to tvotna

‎02-16-2024 05:37 AM

that's really helpful actually - so there is a logical interface called "identity" in the ASA. Will that always match the IP that is specified in the initial command? (in your case it was "in interface outside control-plane". So I imagine the .98.134 address was the outside's interface? 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to guacamoley

‎02-16-2024 05:55 AM

Why we need to know NAT IP if we want to config ACL?

To know which one we use real IP or mapped IP

In acl control the traffic not hit NAT 

So we always use real IP.

@tvotna identity is not related to NAT traffic' it use only for service policy.

Why you misleading him?

MHM

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to MHM Cisco World

‎02-16-2024 06:39 AM

You're wrong or don't understand what I'm talking about.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to tvotna

‎02-16-2024 06:45 AM

Yes please share how we can use identity logical interface for NAT, 
I will so surprise to see this new config 
waiting your reply 
thanks 

MHM 

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to guacamoley

‎02-16-2024 06:38 AM

Correct.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card