use of auto-nat objects in ACL when nat is not needed

ThomasTendl · ‎10-23-2013

Hi,

I have a question regarding the usage of objects in ACL on ASA 8.3+.

The basics:

-) I know that it is possible to use objects (not object-groups) in an ACL, and this is working fine here.

-) Auto-NAT can be done within these objects, also working fine

Now the question:

Is it possible to 're-use' an object with NAT statement in an ACL when the involved NAT interfaces do not match?

To make it more clear:

I have an ACL allowing one server in a DMZ to connect to the outside, static Auto-NAT (DMZ,outside) is performed and everything is working as expected.

If I use the very same object in an ACL between DMZ and INside, the ACL looks fine but the rule doesn't match (capture shows matching traffic coming in).

Using packet-tracer for this connection results in 'allow', hitcount on rule increases.

My assumption was that as the interfaces within the nat statement don't match, it will simple get ignored.

Unfortunately this doesn't seem to be the way it is working.

Is there anything I've missed here?

Thx for all answers

Jouni Forss · ‎10-23-2013

Hi,

I have personally used the "object network" used in the NAT configuration only for the interface ACL of the interface behind which connection comes to the mapped address.

I dont see however why it could not be reused in some other ACL.

I have not reused the "object network" in other ACLs myself but I guess I could confirm this later when I have my hands on an ASA where I can generate actual traffic between 2 hosts. The "packet-tracer" output seems fine remotely on my own home ASA.

- Jouni