05-16-2008 03:28 AM - edited 03-10-2019 04:06 AM
Hi,
I have a question regarding operation steps on IPS on ASA - while configuring access list for interesting traffic, do I need to use really or NATed addresses. Precisely, NAT and than access list or access list and than NAT?
Solved! Go to Solution.
05-18-2008 12:31 PM
Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.
If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.
For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".
For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".
Traffic, which is not "permitted", will be implicitly denied.
05-16-2008 03:32 PM
Hi,
When you apply service-policy for IPS inspection, either on a specific interface/globally, "ingress" traffic on the interface is sent to the module.
For example, if you apply the policy on the inside interface of ASA, traffic coming into ASA on the inside interface, destined for outside/dmz/etc, will be sent to IPS module, before applying nat rules.
If you apply the policy on the outside interface of ASA, traffic coming into ASA on the utside interface, destined for inside/dmz/etc, will be sent to IPS module, before applying un-nat/nat rules.
if you apply the policy globally, all traffic coming into ASA on the its interfaces, will be sent to IPS module, before applying nat rules.
Hope this clears things for you.
Regards,
Vibhor.
05-18-2008 12:31 PM
Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.
If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.
For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".
For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".
Traffic, which is not "permitted", will be implicitly denied.
05-19-2008 04:10 AM
Great answer. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide