cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
523
Views
0
Helpful
10
Replies

About Nat 0 exempt

Charles_Chi4
Level 1
Level 1

Hello, i want to ask if i could use specific port to access list assigned in nat 0 exempt. Because i want remote lan could access only specific port in local lan. i use asa 7.1(2)

Thnx

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Hi Charles

No you can't. You can use ports in access-lists for policy NAT but you cannot use a port number in an access-list used for NAT exemption.

HTH

Jon

Just like Jon said, you cant use the access-list with ports for NAT exemption.

gilbert

Hi jon,

Thank you so much for your reply

Therefore i wanna ask how could i limit access from remote lan for specific port? i already activated the sysopt in asa. Or i just have an option that apply the acl in the device that directly connected to interface inside asa?

Hi Charles

You will need to use an access-list that is applied to one of your interfaces, presumably the outside.

Not sure what you mean by sysopt in ASA. If you are talking about IPSEC you can either use a vpn tunnel filter or an outbound access-list on your inside interface.

Hope i've understood

Jon

Hi Jon,

I use sysopt connection permit-vpn in asa that every vpn packet bypass all interface access list in asa.

Charles

sysopt connection permit-vpn allows IPSEC traffic to bypass the acl. So if you terminate the VPN on the outside intreface of your ASA then the traffic will not be subject to the outside acl.

But once it is unencrypted by the ASA any other acl it goes through still applies. So if you applied an access-list in the outbound direction on your inside interface you could still restrict what traffic could go through. If you do this please remember there is an explicit deny at the end of every access-list.

HTH

Jon

Hi Jon,

I'm clear enough now, thanks to you. But i 've already apply acl inbound inside and outside. So could i restrict remote access with specific port through interesting packet that defined in tunnel establishment? because i couldn't make it in acl inbound inside and nat_0 exempt.

Charles

You can use ports in your crypto access-list if you want but there is a preformance overhead associated with this.

Could you just explain why you cannot just add an outbound acl on your inside interface ?

Jon

Hi Jon,

I've already configured inbound acl on inside interface. And as i know, we couldn't assign more than one acl in 1 interface. The inbound acl is used to limit internet access and remote access through vpn tunnel. It's already in production.

If you said so, maybe i should have the acl in the core switch directly connected to this asa.

Hi Charles

From the ASA 7.1 configuration guide

=============================================

To apply an extended access list to the inbound or outbound direction of an interface, enter the following command:

hostname(config)# access-group access_list_name {in | out} interface interface_name

[per-user-override]

You can apply one access list of each type

------------------------------------------

(extended and EtherType) to both directions

--------------------------------------------

of the interface. See the "Inbound and

-----------------

Outbound Access List Overview" section for more information about access list directions.

=============================================

So you can apply an acl both outbound and inbound on an interface.

As i say though if you are using this to restrict traffic to a certain host then allow the host traffic, deny any other traffic to the host and then end with a "permit ip any any" or else you could cut users off.

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: