The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.
For your reference,here is what asa checks and in what order:
Legends:
1. Recieve Packet.
2. Existing Connection?
3. Permit by Inbound ACL on interface?
4. Match translation rule (nat, static).
5. NAT embedded IP and perform security checks / randomize sequence number.
6. NAT IP header.
7. Pass packet to outgoing interface.
8. Layer 3 route lookup?
9. Layer 2 next hop?
10. Transmit packet.
NAT ORDER OF OPERATIONS
The rules are tried in order.
1) nat 0 access-list (nat-exempt)
2) match against existing xlates
3) static
a) static nat with and without access-list (first match)
b) static pat with and without access-list (first match)
4) nat
a) nat access-list (first match)
Note: nat 0 access-list is not part of this command.
b) nat (best match)
Note: When choosing a global address from multiple pools with
the same nat id, the following order is tried
i) if the id is 0, create an identity xlate.
ii) use the global pool for dynamic NAT
iii) use the global pool for dynamic PAT
5) Error
nat (inside) 0
Nat 0 has two affects
1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface
2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.
Regards,
Sushil
