Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACL's & IP Addresses

Hello:

I am redesigning my ACL's.  I have a dumb question for the "outside_access_in" ACL.  This ACL controls traffic from the outside in.  Servers which are in my DMZ are on a private range and the ASA is doing a static NAT for them.  As I create the ACL should I only referance the public IP addresses since the ASA will translate them?

Harrison Midkiff

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACL's & IP Addresses

Yes, but only for ASA 8.3.

For 8.2 and earlier you would need to allow traffic to the public IP addresses.

I hope it helps.

PK

7 REPLIES

Re: ACL's & IP Addresses

Hi,

On the outside ACL you should refer to the public (translated) IP for the servers (unless you're running 8.3)

Federico.

Community Member

Re: ACL's & IP Addresses

Since this is a new firewall I upgraded it to 8.3.   Do I have the option of using the public or NAT'ed addresses?

Re: ACL's & IP Addresses

If using 8.3, the recommendation is to use the ''real'' IP address in the ACL. (instead of the NAT address).

This is an improvement in that it allows modification of translated IPs without having to change the ACLs.

Federico.

Community Member

Re: ACL's & IP Addresses

Federico:

Thanks again for replying to my post.

So in my case I created an object-group called "DMZ_WEB_SERVERS" with all of the private IP addresses of my web servers in my DMZ.  The IP's are all NAT'ed to public IP addresses.  On my Inside interface I am using the object-group to permit access to these DMZ web servers.  On my Outside interface I can use the same object-group even though it has the private IP addresses and the ASA will automatically translate them.

Harrison Midkiff

Cisco Employee

Re: ACL's & IP Addresses

Yes, but only for ASA 8.3.

For 8.2 and earlier you would need to allow traffic to the public IP addresses.

I hope it helps.

PK

Community Member

Re: ACL's & IP Addresses

Thanks for your input.  It was very helpful

Cisco Employee

Re: ACL's & IP Addresses

I am glad it clarified it a little.

PK

219
Views
0
Helpful
7
Replies
CreatePlease to create content