Solved: Re: access list on asa

suthomas1 · ‎11-12-2010

I have questions on following scenario with an ASA.

Local interface ( 192.168.100 /24) , dmz (192.168.200 /24) & internet facing interface.

Internet interface is shutdown temporarily & there is no internet based nat/pat currently being used.

There are certain computing resources on the dmz which users behind local lan access.

rules for these users are configured for their destination compution servers (192.168.100.52)

access-list local__un-nat_out line 1 extended permit ip 192.168.100.0 255.255.0.0 host 192.168.200.52

similar to above lines there are numerous others for different servers/sources.

nat (local) 0 access-list local_un-nat_out

if i were to remove both above acl and nat statement , will it cause disruption for users from local lan to access this server in dmz? I am confused on the use of above statements in the absence of internet connection & what are its significance?

TIA.

mirober2 · ‎11-13-2010

Hello,

Yes, you should be okay to remove the NAT 0 and ACL if that is the case. However, I would still recommend doing the changes in a maintenance window when you can tolerate some down time just in case, as well as retaining a backup of the configuration in case it needs to be reverted.

Hope that helps.

-Mike

View solution in original post

andrew.prince · ‎11-12-2010

If you remove the config - connectivity will stop, if you have the command nat-control configured.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1082359

HTH>

suthomas1 · ‎11-12-2010

Nat-control is disabled.the security levels for dmz is 10 , outside 0 and local is 100.

So, in this case as nat-control is disabled, removing these shouldnt cause any problems correct?

can i also ask to understand what purpose those nat/acl commands serve. the configs are from a remote network and was setup longtime by another personnel.

Appreciate all help.

mirober2 · ‎11-12-2010

Hello,

The NAT 0/ACL commands are used so that the ASA will not translate any traffic that matches one of the lines in the ACL. If nat-control is disabled, removing the commands shouldn't break anything given your security levels. However, if you have other NAT statements that would cause this traffic to be translated and you don't want it to be, you'd need to leave these commands in place since NAT 0 will take precedence over other configured NAT statements. It ultimately depends on what the rest of your NAT config looks like.

Hope that helps.

-Mike

suthomas1 · ‎11-12-2010

thanks for the inputs.

other nat statement existing is nat (local) 1 0.0.0.0 which is tied to internet facing outside interface global (internet) 1 "Public IP".

However, the internet facing interface has been shutdown for a temporary period & this ASA may not be used for internet connectivity anymore.

Leaving it with only local & dmz interfaces intact.

If this is held true, would it be safe for me to remove those acl & nat statements , & that would not cause any issues to services as mentioned in my post.

TIA

mirober2 · ‎11-13-2010

Hello,

Yes, you should be okay to remove the NAT 0 and ACL if that is the case. However, I would still recommend doing the changes in a maintenance window when you can tolerate some down time just in case, as well as retaining a backup of the configuration in case it needs to be reverted.

Hope that helps.

-Mike