cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
0
Helpful
7
Replies

ACL's & IP Addresses

HMidkiff
Level 1
Level 1

Hello:

I am redesigning my ACL's.  I have a dumb question for the "outside_access_in" ACL.  This ACL controls traffic from the outside in.  Servers which are in my DMZ are on a private range and the ASA is doing a static NAT for them.  As I create the ACL should I only referance the public IP addresses since the ASA will translate them?

Harrison Midkiff

1 Accepted Solution

Accepted Solutions

Yes, but only for ASA 8.3.

For 8.2 and earlier you would need to allow traffic to the public IP addresses.

I hope it helps.

PK

View solution in original post

7 Replies 7

Hi,

On the outside ACL you should refer to the public (translated) IP for the servers (unless you're running 8.3)

Federico.

Since this is a new firewall I upgraded it to 8.3.   Do I have the option of using the public or NAT'ed addresses?

If using 8.3, the recommendation is to use the ''real'' IP address in the ACL. (instead of the NAT address).

This is an improvement in that it allows modification of translated IPs without having to change the ACLs.

Federico.

Federico:

Thanks again for replying to my post.

So in my case I created an object-group called "DMZ_WEB_SERVERS" with all of the private IP addresses of my web servers in my DMZ.  The IP's are all NAT'ed to public IP addresses.  On my Inside interface I am using the object-group to permit access to these DMZ web servers.  On my Outside interface I can use the same object-group even though it has the private IP addresses and the ASA will automatically translate them.

Harrison Midkiff

Yes, but only for ASA 8.3.

For 8.2 and earlier you would need to allow traffic to the public IP addresses.

I hope it helps.

PK

Thanks for your input.  It was very helpful

I am glad it clarified it a little.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: