We've 3 zones called Inside, DMZ and Outside. We're doing PAT for Inside users to reach out to Internet using External Interface public IP .
We've applied ACL's on all interfaces (In->Out, Out-In, Out-DMZ, DMZ-In).
My query is, I see only PAT rules in place to happen and NO ACL on Inside Interface to allow the traffic on firewall . Since there is implicit deny at the very end of ACL, by default it'll drop and not sure how it works. Even in Cisco docs, I don't see any ACL's being configured or mentioned related to PAT. Please assist
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface
Your inside interface should have a higher security level than the outside interface. This allows a device residing in a higher security level to acess a device on a lower security level interface.
If you want to control this behaviour you would use an ACL and access-group.
Thanks for the reply. As I mentioned earlier, We already have ACL's applied in all interfaces and we have PAT as well for reaching out to Internet.
But we don't see any ACL's relating to PAT applied @ Inside interface to allow the traffic . Not sure, please assist.
If you have no ACL applied on the inside interface (as you said in the first post), then the ASA will use the security-level configured to determine what can be accessed, either between 'inside' private IP interfaces or via the 'outside' public IP interface that would require PAT.
Please provide a sanitised config if you need further explanation.
Hi, Below config for reference. We've applied ACL's applied @ Inside Interface but no config related to PAT. Will PAT work without ACL's . Please assist
object-group network Internal_IP
description Corporate network
network-object object Corporate-Servers-172.22.1.0
network-object object DesktopAccess-172.22.116.0
network-object object Desktop-wireless-172.22.112.0
network-object object Desktop-access-B3-172.22.82.0
nat (Inside,Internet) source dynamic Internal_IP interface