Applying service policies and NAT

Colin Higgins · ‎05-04-2012

According to Cisco, MPF application inspection on the ASA is done AFTER network-address translation (and access-lists).

So a simple scenario like this

static (inside,outside) 192.168.1.2 65.100.100.1 netmask 255.255.255.255

access-list test extended permit tcp any host 65.100.100.1 eq http

class-map test_class

match access-list test

But what if I want to apply an inspection policy to outbound traffic that is being translated to the outside interface on the ASA?

This works fine with the default global policies, but what if I want to fine tune? DO I base the policy on the external (outside) address of the ASA?

That just doens't seem right

Maykol Rojas · ‎05-04-2012

Nope, depends on the version that you are running. In what version are you?

Mike

Colin Higgins · ‎05-04-2012

This question would be for versions 7.2-8.2

When we get to 8.3, everything gets reversed for the access-lists, so it gets even more confusing. Before 8.3, an access-list applied to the external interface would act on the global (natted) address of internal servers. Now, it looks like the access-list acts on the private (unnatted) address through "real IP" and network-objects.

So I would imagine that class-map statements with access-list matches inside them would break upon upgrading the ASA: or at least it seems that way.

Maykol Rojas · ‎05-04-2012

They will Migrate as well as the policies applied dont you worry.

If you want to apply an outbound policy, you can use the post NAT IP and apply it on the outside.

Mike