09-24-2011 11:17 AM - edited 03-11-2019 02:29 PM
Hello All,
Does anyone have any idea on what training I can use to train myself on the new ACL's and NAT setup for 8.3 code and up? I am pretty comfortable with 8.2 but now that everything is leaving that code I need to get with it. I am open to any books or docs everything may have in mind. Thanks.
09-24-2011 11:23 AM
Hi,
there are excellent docs here that explain that very well, just do a search in the docs in this section and you'll find what you want.
Regards.
Alain.
09-24-2011 12:16 PM
Hello Iketurner,
Just to let you know the big change from 8.2 to 8.3 and prior regarding the ACLs is that you now got to point to the private IPs instead of the public ones (Natted ones).
Here you have the document you are looking for:
https://supportforums.cisco.com/docs/DOC-12690
Hope this helps, any other question let me know, otherwise please mark the question as answered.
Regards,
Julio
09-24-2011 04:01 PM
Julio
Thanks for that link. I knew about the NAT changes but i missed the bit about acl's until i saw this doc.
Have to say the acl update seems completely illogical to me as traffic arriving on the outside interface will not have the private IP as the destination IP address.
Does this mean that NAT is now being done before the acl on the outside interface is checked ?
Jon
09-24-2011 06:48 PM
Hi Jon,
Yes, you are correct. Now the NAT is performed first before the access-list check on the firewall. If you run a packet-tracer, it would show UN_NAT first and then ACL is hit. Now picture this situation, that you have quite large configuration and for some reason you have to change your ISP now. Due to the usage of Private IP's in ACL, you are saved from making any changes in it and just need to add the public IP's in the object group created for NAT.
Hope this makes sense to you.
Thanks,
Varun
09-24-2011 06:48 PM
Yes Jon. You are absolutely right.
Try packet tracer on the new 8.3+ code and you will see this.
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-192.168.2.2-05
nat (inside,outside) static interface service tcp ftp ftp
Additional Information:
NAT divert to egress interface inside
Untranslate 172.18.254.34/21 to 192.168.2.2/21
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl-outside in interface outside
access-list acl-outside extended permit tcp any any eq ftp
Additional Information:
-Kureli
09-26-2011 11:18 AM
Varun / Kureli
Thanks for confirming this. Good point about not needing to change IPs if you change ISP.
Jon
09-26-2011 11:41 AM
Hi Jon,
Glad I could help
Thanks,
Varun
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: