ASA 8.3 real Ip address in ACL

Answered Question
Jan 16th, 2012
User Badges:

if ASA 8.3 uses real IP address in ACL, why in this example "ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example" uses the public (natted) ip address for the smtp server ACL?

Correct Answer by ajay chauhan about 5 years 7 months ago

I agree !!


pre-8.3 Configuration

static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255

!

access-list outside_in extended permit tcp any host 209.165.201.15

access-group outside_in in interface outside



8.3 Configuration

object network obj-10.1.1.6
  host 10.1.1.6
  nat (inside,outside) static 209.165.201.15

!

access-list outside_in extended permit tcp any host 10.1.1.6

access-group outside_in in interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
ajay chauhan Mon, 01/16/2012 - 05:20
User Badges:
  • Silver, 250 points or more

Whatever will be the SMTP server IP on internet will have to add that IP on outside ACL to allow on port 25. It could be NAT IP or Public IP as well.


Can you post the statement from configuration where you have doubt?


Thanks

Ajay

jmprats Mon, 01/16/2012 - 05:24
User Badges:

In the example:


access−list smtp extended permit tcp any host 209.164.3.5 eq smtp


object network obj−192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic 209.164.3.129


Why doesn't use the real ip address in the acl?

ajay chauhan Mon, 01/16/2012 - 05:31
User Badges:
  • Silver, 250 points or more


Ok.


That traffic is originated from inside hosts. You should focus on -


object network obj-192.168.2.57
  host 192.168.2.57
  nat (inside,outside) static 209.164.3.5



For your SMTP question SMTP server is mapped one to one NAT so public identity would be 209.164.3.5 so ofcourse that is allowed in ACL.


Regarding configuration you have post has nothing to do with SMTP server that have mentioned the whole subnet /24 for outbound traffic.


NAT has order to process - nonat >static nat > dynamic nat> static pat >dynamic pat > like this.


Hope this help.


Thanks

Ajay

jmprats Tue, 01/17/2012 - 00:53
User Badges:

OK, sorry, of course, the smtp-server nat was:


object network obj−192.168.2.57

host 192.168.2.57

nat (inside,outside) static 209.164.3.5


But in the ACL is using public IP, not the real ip address as announces Release Notes or migration guide, which states:


"For example, formerly if you wanted to allow an outside host to access an inside host that used NAT, you

applied an inbound access list on the outside interface using the access-group command. In this

scenario, you needed to specify the mapped address of the inside host in the access list because that

address was the address that can be used on the outside network. Starting in 8.3, you need to specify the

real address in the access list."


In this Cisco Support Channel video (minute 3), the outside ACL uses the real ip address, not the public-natted one

http://www.youtube.com/watch?v=R6TMlH9U2pE&feature=plcp&context=C34bcf43UDOEgsToPDskINRv5_oXhrk7jRahbPD_Em


So my question is:

In the ACL, do I have to use the real ip (like the video) or the natted-ip (like the smtp example)?

Thanks

EliasTlou Tue, 01/17/2012 - 01:01
User Badges:

Hi


Use real IP address:


e.g.

access−list smtp extended permit tcp any host 192.168.2.57 eq smtp

Correct Answer
ajay chauhan Tue, 01/17/2012 - 01:18
User Badges:
  • Silver, 250 points or more

I agree !!


pre-8.3 Configuration

static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255

!

access-list outside_in extended permit tcp any host 209.165.201.15

access-group outside_in in interface outside



8.3 Configuration

object network obj-10.1.1.6
  host 10.1.1.6
  nat (inside,outside) static 209.165.201.15

!

access-list outside_in extended permit tcp any host 10.1.1.6

access-group outside_in in interface outside

Actions

This Discussion

Related Content