cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
349
Views
2
Helpful
7
Replies

[ASA] How does a control-plane ACL treat interface NAT

guacamoley
Level 1
Level 1

In the documentation, I can see a control-plane ACL will permit/deny traffic towards the ASA itself, which is typically control plane, will this extend to nat traffic towards the device?

 

Edit: What would the security risks be if this was opened up to any any? I presume your device could easily be ddos'd, ssh tunneled, and compromised in many other ways. 

1 Accepted Solution

Accepted Solutions

tvotna
Spotlight
Spotlight

Technically, control-plane ACL programs accelerated security path table to control traffic between "outside" and "identity" interface as shown below, while regular ACL programs it between "outside" and "any" (all) interfaces, where "any" doesn't include identity. Hence, those two ACLs are independent from each other.

 

ASA# sh run access-group
access-group outside_in in interface outside control-plane
access-group outside_in in interface outside

ASA# show access-list outside_in
access-list outside_in; 10 elements; name hash: 0xc5896c24
access-list outside_in line 2 extended permit tcp xxx.xxx.147.0 255.255.255.0 host yyy.yyy.98.134 eq https (hitcnt=52) 0x567d10d1

ASA# show asp table classify domain permit match xxx.xxx.147.0
Input Table
in  id=0x7fc45a1bdba0, priority=120, domain=permit, deny=false
        hits=52, user_data=0x7fc14c8dac80, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=identity
in  id=0x7fc14c75a950, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fc14e36c880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=any

 

View solution in original post

7 Replies 7

The NAT in router or in ASA need traffic pass boundary 

This boundary is between two Interface

In case of ACL control plane the traffic direct to ASA interface so it not pass any ASA boundary.

MHM

tvotna
Spotlight
Spotlight

Technically, control-plane ACL programs accelerated security path table to control traffic between "outside" and "identity" interface as shown below, while regular ACL programs it between "outside" and "any" (all) interfaces, where "any" doesn't include identity. Hence, those two ACLs are independent from each other.

 

ASA# sh run access-group
access-group outside_in in interface outside control-plane
access-group outside_in in interface outside

ASA# show access-list outside_in
access-list outside_in; 10 elements; name hash: 0xc5896c24
access-list outside_in line 2 extended permit tcp xxx.xxx.147.0 255.255.255.0 host yyy.yyy.98.134 eq https (hitcnt=52) 0x567d10d1

ASA# show asp table classify domain permit match xxx.xxx.147.0
Input Table
in  id=0x7fc45a1bdba0, priority=120, domain=permit, deny=false
        hits=52, user_data=0x7fc14c8dac80, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=identity
in  id=0x7fc14c75a950, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fc14e36c880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=xxx.xxx.147.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=yyy.yyy.98.134, mask=255.255.255.255, port=443, tag=any, dscp=0x0, nsg_id=none
        input_ifc=outside, output_ifc=any

 

that's really helpful actually - so there is a logical interface called "identity" in the ASA. Will that always match the IP that is specified in the initial command? (in your case it was "in interface outside control-plane". So I imagine the .98.134 address was the outside's interface? 

 

Why we need to know NAT IP if we want to config ACL?

To know which one we use real IP or mapped IP

In acl control the traffic not hit NAT 

So we always use real IP.

@tvotna identity is not related to NAT traffic' it use only for service policy.

Why you misleading him?

MHM

You're wrong or don't understand what I'm talking about.

 

Yes please share how we can use identity logical interface for NAT, 
I will so surprise to see this new config 
waiting your reply 
thanks 

MHM 

Correct.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card