02-15-2024 04:37 PM - edited 02-27-2024 07:50 AM
In the documentation, I can see a control-plane ACL will permit/deny traffic towards the ASA itself, which is typically control plane, will this extend to nat traffic towards the device?
Edit: What would the security risks be if this was opened up to any any? I presume your device could easily be ddos'd, ssh tunneled, and compromised in many other ways.
Solved! Go to Solution.
02-16-2024 05:15 AM
Technically, control-plane ACL programs accelerated security path table to control traffic between "outside" and "identity" interface as shown below, while regular ACL programs it between "outside" and "any" (all) interfaces, where "any" doesn't include identity. Hence, those two ACLs are independent from each other.
ASA# sh run access-group
access-group outside_in in interface outside control-plane
access-group outside_in in interface outside
ASA# show access-list outside_in
access-list outside_in; 10 elements; name hash: 0xc5896c24
access-list outside_in line 2 extended permit tcp xxx.xxx.147.0 255.255.255.0 host yyy.yyy.98.134 eq https (hitcnt=52) 0x567d10d1
ASA# show asp table classify domain permit match xxx.xxx.147.0
Input Table
in id=0x7fc45a1bdba0, priority=120, domain=permit, deny=false
hits=52, user_data=0x7fc14c8dac80, cs_id=0x0, flags=0x0, protocol=6
src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=identity
in id=0x7fc14c75a950, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fc14e36c880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any
02-15-2024 09:18 PM
The NAT in router or in ASA need traffic pass boundary
This boundary is between two Interface
In case of ACL control plane the traffic direct to ASA interface so it not pass any ASA boundary.
MHM
02-16-2024 05:15 AM
Technically, control-plane ACL programs accelerated security path table to control traffic between "outside" and "identity" interface as shown below, while regular ACL programs it between "outside" and "any" (all) interfaces, where "any" doesn't include identity. Hence, those two ACLs are independent from each other.
ASA# sh run access-group
access-group outside_in in interface outside control-plane
access-group outside_in in interface outside
ASA# show access-list outside_in
access-list outside_in; 10 elements; name hash: 0xc5896c24
access-list outside_in line 2 extended permit tcp xxx.xxx.147.0 255.255.255.0 host yyy.yyy.98.134 eq https (hitcnt=52) 0x567d10d1
ASA# show asp table classify domain permit match xxx.xxx.147.0
Input Table
in id=0x7fc45a1bdba0, priority=120, domain=permit, deny=false
hits=52, user_data=0x7fc14c8dac80, cs_id=0x0, flags=0x0, protocol=6
src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=identity
in id=0x7fc14c75a950, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fc14e36c880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any
02-16-2024 05:37 AM
that's really helpful actually - so there is a logical interface called "identity" in the ASA. Will that always match the IP that is specified in the initial command? (in your case it was "in interface outside control-plane". So I imagine the .98.134 address was the outside's interface?
02-16-2024 05:55 AM
Why we need to know NAT IP if we want to config ACL?
To know which one we use real IP or mapped IP
In acl control the traffic not hit NAT
So we always use real IP.
@tvotna identity is not related to NAT traffic' it use only for service policy.
Why you misleading him?
MHM
02-16-2024 06:39 AM
You're wrong or don't understand what I'm talking about.
02-16-2024 06:45 AM
Yes please share how we can use identity logical interface for NAT,
I will so surprise to see this new config
waiting your reply
thanks
MHM
02-16-2024 06:38 AM
Correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide