×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 - ASDM v 7.1(5) - Access Rules

Answered Question

Hi,


I have got an ASA 5505 set up in front of a reverse proxy for Exch 2013.  I currently hit the outside via https://mymail.mydomain.com.  That works just fine.  There is a translation from port 8443 to 443 using Object NAT.


This question relates to the associated access rules.


I have one access rule that says, Source=any, Destn=myproxy, Destn Service = tcp/https


Everything works BUT... I would have thought that the access rule should be based on requesting access to port 8443... So, it appears as though:


- packet arrives on port 8443 and is translated to port 443, destn IP 10.0.0.n

- the firewall then says, "Aha, HTTPS packet for destn IP 10.0.0.n, that's fine.  Pass friend."


Whereas what I think I "want" is


- packet arrives on port 8443 and is HTTPS and is passed by the firewall

and then the NAT runs


The lack of obvious link between the changed port and the access rule makes me uneasy.


Am I missing something and should just relax?


Thanks

Correct Answer by Jouni Forss about 3 years 6 months ago

Hi,


The ASA NAT/ACL changed in the jump from software level 8.2 to 8.3.


During 8.2 and before it the logic was that for a destination address the ACL was checked first and then the UN-NAT was done which essentially untraslated the IP address (and possibly the port) and forwarded the traffic to the correct host on the correct port.


During 8.3 and after it the ordering of NAT and ACL was changed as the NAT was redone. Now for a destination address the UN-NAT is done first and then the ACL check is performed. This leads to the situation that you actually have to allow traffic from the external network to the local IP address and the local port.


So you probably have something like this


object network SERVER

host

nat (inside,outside) static interface service tcp 443 8443


or


object network SERVER

host

nat (inside,outside) static service tcp 443 8443


So now your ACL rule should be


access-list permit tcp any object SERVER eq 443


as it matches the


access-list permit tcp any eq


Hope this helps


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Sun, 02/09/2014 - 09:35
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The ASA NAT/ACL changed in the jump from software level 8.2 to 8.3.


During 8.2 and before it the logic was that for a destination address the ACL was checked first and then the UN-NAT was done which essentially untraslated the IP address (and possibly the port) and forwarded the traffic to the correct host on the correct port.


During 8.3 and after it the ordering of NAT and ACL was changed as the NAT was redone. Now for a destination address the UN-NAT is done first and then the ACL check is performed. This leads to the situation that you actually have to allow traffic from the external network to the local IP address and the local port.


So you probably have something like this


object network SERVER

host

nat (inside,outside) static interface service tcp 443 8443


or


object network SERVER

host

nat (inside,outside) static service tcp 443 8443


So now your ACL rule should be


access-list permit tcp any object SERVER eq 443


as it matches the


access-list permit tcp any eq


Hope this helps


- Jouni

Actions

This Discussion