cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
0
Helpful
4
Replies

Packet from outside proccessing - operation order?

mile.ljepojevic
Level 1
Level 1

Hi,

I just deployed my first ASA with 8.3 and I thought that besides NAT, there will be no issues...

Then, after I did packet-traces I was pretty surprised to see that UN-NAT (static NAT) has run before ACL, which forced me to use private IPs in my access-list. Here is output of packet-tracer:


packet-tracer input outside tcp 212.200.120.10 1432 132.234.23.135 443 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-10.1.1.71
nat (inside,outside) static 132.234.23.135
Additional Information:
NAT divert to egress interface inside
Untranslate 132.234.23.135/443 to 10.1.1.71/443
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FROM_OUTSIDE in interface outside
access-list FROM_OUTSIDE extended permit tcp any host 10.1.1.71 eq https log
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW

Did I did something wrong or missed something? I cannot belive that I have to use private IP on access list for outside access. That means I would have to change access-list everytime I change NAT, which is a bit ridicules.

1 Accepted Solution

Accepted Solutions

It actually provides more flexibility, and you can reference the NAT object in the ACL now.

So if you make changes to the NAT object, you don't actually have to make changes to the ACL as it can reference the NAT object.

Here is the command reference for 8.3 ACL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1598407

Prior to 8.3, you can only reference "object-group", not "object" NAT.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, that is one of the other major changes from version 8.3. In the ACL, you would need to match against the un-NATed ip address, and in your case, the private ip address.

I figured that out... I still cannot understand why its changed!

Let's say I have mail server... If I want to change mail server, in 8.2 it was enough to change NAT and I'm good to go... So now, I have to change NAT, and access-list. So more to do, harder to track changes... Any benefits?

And one more thing... Phase 2 was access-list, but it is empty... Is  that even configurable? Can I configure some type of access-list that will be matched in Phase 2?

It actually provides more flexibility, and you can reference the NAT object in the ACL now.

So if you make changes to the NAT object, you don't actually have to make changes to the ACL as it can reference the NAT object.

Here is the command reference for 8.3 ACL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1598407

Prior to 8.3, you can only reference "object-group", not "object" NAT.

That's true... I will have to change my view on that NAT thing...

Thank you very much. I gave you 5 stars

Review Cisco Networking for a $25 gift card