12-17-2010 08:14 PM - edited 03-11-2019 12:24 PM
Hi,
I just deployed my first ASA with 8.3 and I thought that besides NAT, there will be no issues...
Then, after I did packet-traces I was pretty surprised to see that UN-NAT (static NAT) has run before ACL, which forced me to use private IPs in my access-list. Here is output of packet-tracer:
packet-tracer input outside tcp 212.200.120.10 1432 132.234.23.135 443 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-10.1.1.71
nat (inside,outside) static 132.234.23.135
Additional Information:
NAT divert to egress interface inside
Untranslate 132.234.23.135/443 to 10.1.1.71/443
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FROM_OUTSIDE in interface outside
access-list FROM_OUTSIDE extended permit tcp any host 10.1.1.71 eq https log
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Did I did something wrong or missed something? I cannot belive that I have to use private IP on access list for outside access. That means I would have to change access-list everytime I change NAT, which is a bit ridicules.
Solved! Go to Solution.
12-17-2010 09:16 PM
It actually provides more flexibility, and you can reference the NAT object in the ACL now.
So if you make changes to the NAT object, you don't actually have to make changes to the ACL as it can reference the NAT object.
Here is the command reference for 8.3 ACL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1598407
Prior to 8.3, you can only reference "object-group", not "object" NAT.
12-17-2010 08:58 PM
Yes, that is one of the other major changes from version 8.3. In the ACL, you would need to match against the un-NATed ip address, and in your case, the private ip address.
12-17-2010 09:03 PM
I figured that out... I still cannot understand why its changed!
Let's say I have mail server... If I want to change mail server, in 8.2 it was enough to change NAT and I'm good to go... So now, I have to change NAT, and access-list. So more to do, harder to track changes... Any benefits?
And one more thing... Phase 2 was access-list, but it is empty... Is that even configurable? Can I configure some type of access-list that will be matched in Phase 2?
12-17-2010 09:16 PM
It actually provides more flexibility, and you can reference the NAT object in the ACL now.
So if you make changes to the NAT object, you don't actually have to make changes to the ACL as it can reference the NAT object.
Here is the command reference for 8.3 ACL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1598407
Prior to 8.3, you can only reference "object-group", not "object" NAT.
12-17-2010 09:22 PM
That's true... I will have to change my view on that NAT thing...
Thank you very much. I gave you 5 stars
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide