08-05-2018 06:15 AM - edited 02-21-2020 08:03 AM
Dear All,
Please guide me on below query
Server 10.1.1.1
|
| dmz
R3-----outside----ASA-inside--------PC-B
Internet |
|
|
server
in above scenario, i am configuring object-nat to nat traffic from server 10.1.1.1 with outside interface to go to internet but why we need to permit real server IP 10.1.1.1 in ACL on outside interface ?
object network REAL-SERVER
host 10.1.1.1
nat (DMZ,OUTSIDE) static 97.1.1.1 service tcp https https
access-list OUTSIDE-IN permit tcp any object REAL-SERVER eq 443
access-group OUTSIDE-IN in interface OUTSIDE
why we need to permit above statement where we are defining real ip address for server ?
regards,
08-05-2018 05:35 PM
because your NAT will be processed before an ACL will be processed
08-05-2018 11:29 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide