06-14-2010 10:53 AM - edited 03-11-2019 10:59 AM
Hello:
I am redesigning my ACL's. I have a dumb question for the "outside_access_in" ACL. This ACL controls traffic from the outside in. Servers which are in my DMZ are on a private range and the ASA is doing a static NAT for them. As I create the ACL should I only referance the public IP addresses since the ASA will translate them?
Harrison Midkiff
Solved! Go to Solution.
06-14-2010 02:34 PM
Yes, but only for ASA 8.3.
For 8.2 and earlier you would need to allow traffic to the public IP addresses.
I hope it helps.
PK
06-14-2010 11:01 AM
Hi,
On the outside ACL you should refer to the public (translated) IP for the servers (unless you're running 8.3)
Federico.
06-14-2010 12:38 PM
Since this is a new firewall I upgraded it to 8.3. Do I have the option of using the public or NAT'ed addresses?
06-14-2010 12:43 PM
If using 8.3, the recommendation is to use the ''real'' IP address in the ACL. (instead of the NAT address).
This is an improvement in that it allows modification of translated IPs without having to change the ACLs.
Federico.
06-14-2010 02:01 PM
Federico:
Thanks again for replying to my post.
So in my case I created an object-group called "DMZ_WEB_SERVERS" with all of the private IP addresses of my web servers in my DMZ. The IP's are all NAT'ed to public IP addresses. On my Inside interface I am using the object-group to permit access to these DMZ web servers. On my Outside interface I can use the same object-group even though it has the private IP addresses and the ASA will automatically translate them.
Harrison Midkiff
06-14-2010 02:34 PM
Yes, but only for ASA 8.3.
For 8.2 and earlier you would need to allow traffic to the public IP addresses.
I hope it helps.
PK
06-15-2010 05:18 AM
Thanks for your input. It was very helpful
06-15-2010 05:39 AM
I am glad it clarified it a little.
PK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: