05-08-2013 03:02 AM - edited 03-11-2019 06:40 PM
10.18.20.X <<<<<<<<ASA<<<<<<<<< 1.1.1.X
(Web server here) (internet)
i have already test to open a port for public ip (1.1.1.1) and also internal ip (10.18.20.162)
both of them can successful pass through the access list and convert by static nat
the access-list is set under:
-outside (2 incoming rules)
any 10.18.20.162 http permit
any any ip deny
-outside (2 incoming rules)
any 1.1.1.1 http permit
any any ip deny
If the access list scan is happen before nat, i open the port for 1.1.1.1 is make sense
But how come when i open the port for 10.18.20.162 is also working fine?
i am quite confuse now.
The packet destination should be 1.1.1.1 80, why it can pass through firewall when i set the rule as the below
-outside (2 incoming rules)
any 10.18.20.162 http deny
any any ip deny
Solved! Go to Solution.
05-08-2013 03:53 AM
Hi again,
With ASA software 8.2 and below ACL is checked first then NAT
With ASA software 8.3 and higher NAT is checked first then ACL
Because of this in the new software you will have to open the traffic to the Real IP and the Real Port
Because the NAT has already been done when its turn to check the ACL
So when opening traffic from the "outside" you configure an ACL
access-list OUTSIDE-IN permit tcp any object
OR
access-list OUTSIDE-IN permit tcp any host
The rules you mention have "deny" in them? It would seem to me that you are denying the port that you are supposed to allow? Or is that some typo?
- Jouni
05-08-2013 03:53 AM
Hi again,
With ASA software 8.2 and below ACL is checked first then NAT
With ASA software 8.3 and higher NAT is checked first then ACL
Because of this in the new software you will have to open the traffic to the Real IP and the Real Port
Because the NAT has already been done when its turn to check the ACL
So when opening traffic from the "outside" you configure an ACL
access-list OUTSIDE-IN permit tcp any object
OR
access-list OUTSIDE-IN permit tcp any host
The rules you mention have "deny" in them? It would seem to me that you are denying the port that you are supposed to allow? Or is that some typo?
- Jouni
05-08-2013 05:40 AM
Yes it is the typing mistake.
Oh they have this different between old and new version. Thx for you information.
If nat happen before ACL then open port for internal ip is make sense
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide