cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8297
Views
0
Helpful
11
Replies

Packet flow in 8.4 ios

saurabhgoel169
Level 1
Level 1

I think packet flow is changed in 8.3 IOS and above.

We are using private NAT for ouside traffic.

can any body explain me why we are using private IP for outside traffic

3 Accepted Solutions

Accepted Solutions

You have 2 same questions, please mark as answered one of the 2 so we can focus just on one....


Sure,

https://supportforums.cisco.com/docs/DOC-12690

http://www.fir3net.com/Cisco-ASA/how-to-configure-nat-of-asa-83.html

https://supportforums.cisco.com/docs/DOC-9129

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Correct,

That is why you point to the private IP on the ACL because nat already has taken place.

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello,

Maybe this documment will help

https://learningnetwork.cisco.com/thread/46543

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Saurabh,

Before the NAT rule was checked after the ACL verification.

Now it backwards. The asa receive the traffic on the outside, performs the Un-Nat and then checks the ACL.

That is why you need to use the private range on the outside ACL.

Do you understand?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal
VIP Alumni
VIP Alumni

Duplicated! Please mark it as answered so we can focus on the other one

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

do you hany document or cisco link where i can check this.

You have 2 same questions, please mark as answered one of the 2 so we can focus just on one....


Sure,

https://supportforums.cisco.com/docs/DOC-12690

http://www.fir3net.com/Cisco-ASA/how-to-configure-nat-of-asa-83.html

https://supportforums.cisco.com/docs/DOC-9129

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sorry for the two posts, that document is related to NAT configuration...

I am saying about the packet flow explanation........

Sorry jcarvaja , I am disturbing u alot....

Hello Saurabh,

Not a problem, just close or mark as answered one of them..

Packet flow is going to be all of the same than this

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml

The only thing that changed is that now you perform NAT and then ACL checks, that is why I posted those NAT and ACL documents.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

As per you in 8.4 packet flow as below:

packet: ingress interface---> exiting connection(yes or no)--------No---> NAT-----> ACL----> and further....

If this is the flow then I got your point....

Thanks for your posting and explanation.

Correct,

That is why you point to the private IP on the ACL because nat already has taken place.

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for your post.

do cisco has explained the 8.3 or above packet flow any where...

Hello,

Maybe this documment will help

https://learningnetwork.cisco.com/thread/46543

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio and other friends,

I was going through the Doc and the Fir3net link has changed.

Please find the new link below.

 

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-nat.html

 

 

Review Cisco Networking for a $25 gift card