12-16-2014 08:01 AM - edited 03-11-2019 10:14 PM
Hi Everyone,
I configured port porwarding for our internal server as we have 1 public IP only.It is working fine.
Need to confirm if we access the server from outside world then first thing that will happen is
NAT and then it will look for ACL on outside interface right?
For return traffic from server to Outside world it will hit ACL then NAT?
Regards
MAhesh
Solved! Go to Solution.
12-16-2014 08:34 AM
Need to confirm if we access the server from outside world then first thing that will happen is
NAT and then it will look for ACL on outside interface right?
That is correct. As you said, traffic will first be translated using the NAT statements and then checked against the ACL entries.
For return traffic from server to Outside world it will hit ACL then NAT?
Again correct. This is because the ACL check will happen on the inside interface and the NAT, in this case, will happen after the packet has entered the interface.
--
Please remember to select a correct answer and rate helpful posts
12-16-2014 01:55 PM
One more thing to confirm is for traffic flow in bidirectional it will use the same NAT rule right?
Yes, assuming the NAT statement is a static NAT. Only static NAT is bidirectional, while dynamic NAT is not.
For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?
Correct. The ACL, if any, which is applied to the inside interface will be matched first. However, it is possible to apply an ACL to the outside interface in the outbound direction which will also be applied to the traffic. This is not a common practice though and is used only when there is a specific need for doing so.
--
Please remember to select a correct answer and rate helpful posts
12-16-2014 08:34 AM
Need to confirm if we access the server from outside world then first thing that will happen is
NAT and then it will look for ACL on outside interface right?
That is correct. As you said, traffic will first be translated using the NAT statements and then checked against the ACL entries.
For return traffic from server to Outside world it will hit ACL then NAT?
Again correct. This is because the ACL check will happen on the inside interface and the NAT, in this case, will happen after the packet has entered the interface.
--
Please remember to select a correct answer and rate helpful posts
12-16-2014 09:21 AM
Hi Marius,
One more thing to confirm is for traffic flow in bidirectional it will use the same NAT rule right?
For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?
Regards
MAhesh
12-16-2014 01:55 PM
One more thing to confirm is for traffic flow in bidirectional it will use the same NAT rule right?
Yes, assuming the NAT statement is a static NAT. Only static NAT is bidirectional, while dynamic NAT is not.
For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?
Correct. The ACL, if any, which is applied to the inside interface will be matched first. However, it is possible to apply an ACL to the outside interface in the outbound direction which will also be applied to the traffic. This is not a common practice though and is used only when there is a specific need for doing so.
--
Please remember to select a correct answer and rate helpful posts
12-16-2014 02:15 PM
Many thanks Marius for confirming that i was thinking correct.
Best Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide