Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Applying service policies and NAT

According to Cisco, MPF application inspection on the ASA is done AFTER network-address translation (and access-lists).

So a simple scenario like this

static (inside,outside) 192.168.1.2 65.100.100.1 netmask 255.255.255.255

access-list test extended permit tcp any host 65.100.100.1 eq http

class-map test_class

match access-list test

But what if I want to apply an inspection policy to outbound traffic that is being translated to the outside interface on the ASA?

This works fine with the default global policies, but what if I want to fine tune? DO I base the policy on the external (outside) address of the ASA?

That just doens't seem right

Everyone's tags (3)
3 REPLIES
Cisco Employee

Applying service policies and NAT

Nope, depends on the version that you are running. In what version are you?

Mike

Mike
New Member

Applying service policies and NAT

This question would be for versions 7.2-8.2

When we get to 8.3, everything gets reversed for the access-lists, so it gets even more confusing. Before 8.3, an access-list applied to the external interface would act on the global (natted) address of internal servers. Now, it looks like the access-list acts on the private (unnatted) address through "real IP" and network-objects.

So I would imagine that class-map statements with access-list matches inside them would break upon upgrading the ASA: or at least it seems that way.

Cisco Employee

Applying service policies and NAT

They will Migrate as well as the policies applied dont you worry.

If you want to apply an outbound policy, you can use the post NAT IP and apply it on the outside.

Mike

Mike
302
Views
0
Helpful
3
Replies
CreatePlease to create content