Solved: One more thing to confirm is

mahesh18 · ‎12-16-2014

Hi Everyone,

I configured port porwarding for our internal server as we have 1 public IP only.It is working fine.

Need to confirm if we access the server from outside world then first thing that will happen is

NAT and then it will look for ACL on outside interface right?

For return traffic from server to Outside world it will hit ACL then NAT?

Regards

MAhesh

Marius Gunnerud · ‎12-16-2014

Need to confirm if we access the server from outside world then first thing that will happen is

NAT and then it will look for ACL on outside interface right?

That is correct. As you said, traffic will first be translated using the NAT statements and then checked against the ACL entries.

For return traffic from server to Outside world it will hit ACL then NAT?

Again correct. This is because the ACL check will happen on the inside interface and the NAT, in this case, will happen after the packet has entered the interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-16-2014

One more thing to confirm is for traffic flow in bidirectional it will use the same NAT rule right?

Yes, assuming the NAT statement is a static NAT. Only static NAT is bidirectional, while dynamic NAT is not.

For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?

Correct. The ACL, if any, which is applied to the inside interface will be matched first. However, it is possible to apply an ACL to the outside interface in the outbound direction which will also be applied to the traffic. This is not a common practice though and is used only when there is a specific need for doing so.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-16-2014

Need to confirm if we access the server from outside world then first thing that will happen is

NAT and then it will look for ACL on outside interface right?

That is correct. As you said, traffic will first be translated using the NAT statements and then checked against the ACL entries.

For return traffic from server to Outside world it will hit ACL then NAT?

Again correct. This is because the ACL check will happen on the inside interface and the NAT, in this case, will happen after the packet has entered the interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎12-16-2014

Hi Marius,

One more thing to confirm is for traffic flow in bidirectional it will use the same NAT rule right?

For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?

Regards

MAhesh

Marius Gunnerud · ‎12-16-2014

One more thing to confirm is for traffic flow in bidirectional it will use the same NAT rule right?

Yes, assuming the NAT statement is a static NAT. Only static NAT is bidirectional, while dynamic NAT is not.

For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?

Correct. The ACL, if any, which is applied to the inside interface will be matched first. However, it is possible to apply an ACL to the outside interface in the outbound direction which will also be applied to the traffic. This is not a common practice though and is used only when there is a specific need for doing so.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎12-16-2014

Many thanks Marius for confirming that i was thinking correct.

Best Regards

Mahesh

Port forwarding and Order of operation