Cisco ASA code 8.3 Nat and Acls

shelkey007 · ‎06-10-2017

I Know version 8.3 onward , IP address used in the ACLs are different . we need to allow real ip address in Acls . recently attended interview and I was asked to explain why real ip address need allowed instead translated IP in ACL (version 8.3 Later) . I said there are significant internal architectural changed in NAT and ACLs so feature demands real IP address to be allowed but interviewer did not convince . is there any specific reason to allow real ip instead translated ? can someone tell me . early answer will be highly appreciated .

Marvin Rhoads · ‎06-10-2017

Because that's the syntax required by the command parser. If you don't do it that way it won't work.

Jasim.Mohiuddin · ‎08-06-2017

I believe it is due to the order of operations in ASA, i.e how ACLs & NAT statements are checked for incoming traffic.

Pre 8.3

1. ACL

2. NAT

Post 8.3

1.NAT

2. ACL

As you can see Pre 8.3 the ACLs were checked prior to the NAT statements hence they required natted ip address whereas in Post 8.3 NAT statements are processed first then ACLs. Hence it requires a real ip address in ACLs.

AurangzebK · ‎12-27-2017

Does the cisco firepower threat defense follow the same order of operation, i mean NAT un-translation happens before ACL check??

I am currently working on migrating asa 8.2 to FTD, all my existing acl policies includes translated ip adress(public ip), should i replace them with real IPs (private ip) while migrating acl to FTD?

denilson.mota · ‎12-27-2017

The syntax on the version 9.0 and later is totally different from the older version, u have to use a migration tool to change all your acl and nat rules. the nat from the new version require the real ip, you have to specify the nat when u create the host object.