About Nat 0 exempt

Unanswered Question
Jul 18th, 2007

Hello, i want to ask if i could use specific port to access list assigned in nat 0 exempt. Because i want remote lan could access only specific port in local lan. i use asa 7.1(2)

Thnx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 07/19/2007 - 04:48

Hi Charles

No you can't. You can use ports in access-lists for policy NAT but you cannot use a port number in an access-list used for NAT exemption.

HTH

Jon

ggilbert Thu, 07/19/2007 - 06:59

Just like Jon said, you cant use the access-list with ports for NAT exemption.

gilbert

Charles_Chi4 Thu, 07/19/2007 - 18:10

Hi jon,

Thank you so much for your reply

Therefore i wanna ask how could i limit access from remote lan for specific port? i already activated the sysopt in asa. Or i just have an option that apply the acl in the device that directly connected to interface inside asa?

Jon Marshall Thu, 07/19/2007 - 18:52

Hi Charles

You will need to use an access-list that is applied to one of your interfaces, presumably the outside.

Not sure what you mean by sysopt in ASA. If you are talking about IPSEC you can either use a vpn tunnel filter or an outbound access-list on your inside interface.

Hope i've understood

Jon

Charles_Chi4 Thu, 07/19/2007 - 18:57

Hi Jon,

I use sysopt connection permit-vpn in asa that every vpn packet bypass all interface access list in asa.

Jon Marshall Thu, 07/19/2007 - 19:03

Charles

sysopt connection permit-vpn allows IPSEC traffic to bypass the acl. So if you terminate the VPN on the outside intreface of your ASA then the traffic will not be subject to the outside acl.

But once it is unencrypted by the ASA any other acl it goes through still applies. So if you applied an access-list in the outbound direction on your inside interface you could still restrict what traffic could go through. If you do this please remember there is an explicit deny at the end of every access-list.

HTH

Jon

Charles_Chi4 Thu, 07/19/2007 - 20:10

Hi Jon,

I'm clear enough now, thanks to you. But i 've already apply acl inbound inside and outside. So could i restrict remote access with specific port through interesting packet that defined in tunnel establishment? because i couldn't make it in acl inbound inside and nat_0 exempt.

Jon Marshall Thu, 07/19/2007 - 22:44

Charles

You can use ports in your crypto access-list if you want but there is a preformance overhead associated with this.

Could you just explain why you cannot just add an outbound acl on your inside interface ?

Jon

Charles_Chi4 Thu, 07/19/2007 - 23:14

Hi Jon,

I've already configured inbound acl on inside interface. And as i know, we couldn't assign more than one acl in 1 interface. The inbound acl is used to limit internet access and remote access through vpn tunnel. It's already in production.

If you said so, maybe i should have the acl in the core switch directly connected to this asa.

Jon Marshall Thu, 07/19/2007 - 23:27

Hi Charles

From the ASA 7.1 configuration guide

=============================================

To apply an extended access list to the inbound or outbound direction of an interface, enter the following command:

hostname(config)# access-group access_list_name {in | out} interface interface_name

[per-user-override]

You can apply one access list of each type

------------------------------------------

(extended and EtherType) to both directions

--------------------------------------------

of the interface. See the "Inbound and

-----------------

Outbound Access List Overview" section for more information about access list directions.

=============================================

So you can apply an acl both outbound and inbound on an interface.

As i say though if you are using this to restrict traffic to a certain host then allow the host traffic, deny any other traffic to the host and then end with a "permit ip any any" or else you could cut users off.

HTH

Jon

Actions

This Discussion