Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
2
Replies

NAT Query

rocky2024
Level 1
Level 1

‎08-05-2018 06:15 AM - edited ‎02-21-2020 08:03 AM

Dear All,

 

Please guide me on below query

 

                          Server 10.1.1.1

                                    |

                                    | dmz

R3-----outside----ASA-inside--------PC-B

Internet                        |

                                   |

                                   |

                               server

 

in above scenario, i am configuring object-nat to nat traffic from server 10.1.1.1 with outside interface to go to internet but why we need to permit real server IP 10.1.1.1 in ACL on outside interface ?

 

object network REAL-SERVER

  host 10.1.1.1

    nat (DMZ,OUTSIDE) static 97.1.1.1 service tcp https https

 

access-list OUTSIDE-IN permit tcp any object REAL-SERVER eq 443

access-group OUTSIDE-IN in interface OUTSIDE

 

why we need to permit above statement where we are defining real ip address for server ? 

 

regards,

0 Helpful
2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

‎08-05-2018 05:35 PM

because your NAT will be processed before an ACL will be processed

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

rocky2024
Level 1
Level 1
In response to Dennis Mink

‎08-05-2018 11:29 PM

Dear Dennis,
I didnt understood fully. can you please elaborate more please.?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card