Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
4
Replies

Packet from outside proccessing - operation order?

Go to solution
mile.ljepojevic
Level 1
Level 1

‎12-17-2010 08:14 PM - edited ‎03-11-2019 12:24 PM

Hi,

I just deployed my first ASA with 8.3 and I thought that besides NAT, there will be no issues...

Then, after I did packet-traces I was pretty surprised to see that UN-NAT (static NAT) has run before ACL, which forced me to use private IPs in my access-list. Here is output of packet-tracer:


packet-tracer input outside tcp 212.200.120.10 1432 132.234.23.135 443 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-10.1.1.71
nat (inside,outside) static 132.234.23.135
Additional Information:
NAT divert to egress interface inside
Untranslate 132.234.23.135/443 to 10.1.1.71/443
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FROM_OUTSIDE in interface outside
access-list FROM_OUTSIDE extended permit tcp any host 10.1.1.71 eq https log
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW

Did I did something wrong or missed something? I cannot belive that I have to use private IP on access list for outside access. That means I would have to change access-list everytime I change NAT, which is a bit ridicules.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mile.ljepojevic

‎12-17-2010 09:16 PM

It actually provides more flexibility, and you can reference the NAT object in the ACL now.

So if you make changes to the NAT object, you don't actually have to make changes to the ACL as it can reference the NAT object.

Here is the command reference for 8.3 ACL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1598407

Prior to 8.3, you can only reference "object-group", not "object" NAT.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-17-2010 08:58 PM

Yes, that is one of the other major changes from version 8.3. In the ACL, you would need to match against the un-NATed ip address, and in your case, the private ip address.

0 Helpful

Go to solution
mile.ljepojevic
Level 1
Level 1
In response to Jennifer Halim

‎12-17-2010 09:03 PM

I figured that out... I still cannot understand why its changed!

Let's say I have mail server... If I want to change mail server, in 8.2 it was enough to change NAT and I'm good to go... So now, I have to change NAT, and access-list. So more to do, harder to track changes... Any benefits?

And one more thing... Phase 2 was access-list, but it is empty... Is  that even configurable? Can I configure some type of access-list that will be matched in Phase 2?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mile.ljepojevic

‎12-17-2010 09:16 PM

It actually provides more flexibility, and you can reference the NAT object in the ACL now.

So if you make changes to the NAT object, you don't actually have to make changes to the ACL as it can reference the NAT object.

Here is the command reference for 8.3 ACL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1598407

Prior to 8.3, you can only reference "object-group", not "object" NAT.

0 Helpful

Go to solution
mile.ljepojevic
Level 1
Level 1
In response to Jennifer Halim

‎12-17-2010 09:22 PM

That's true... I will have to change my view on that NAT thing...

Thank you very much. I gave you 5 stars

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card