cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
767
Views
0
Helpful
2
Replies

ASA 5505 - ASDM v 7.1(5) - Access Rules

johnc
Level 1
Level 1

Hi,

I have got an ASA 5505 set up in front of a reverse proxy for Exch 2013.  I currently hit the outside via https://mymail.mydomain.com.  That works just fine.  There is a translation from port 8443 to 443 using Object NAT.

This question relates to the associated access rules.

I have one access rule that says, Source=any, Destn=myproxy, Destn Service = tcp/https

Everything works BUT... I would have thought that the access rule should be based on requesting access to port 8443... So, it appears as though:

- packet arrives on port 8443 and is translated to port 443, destn IP 10.0.0.n

- the firewall then says, "Aha, HTTPS packet for destn IP 10.0.0.n, that's fine.  Pass friend."

Whereas what I think I "want" is

- packet arrives on port 8443 and is HTTPS and is passed by the firewall

and then the NAT runs

The lack of obvious link between the changed port and the access rule makes me uneasy.

Am I missing something and should just relax?

Thanks

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The ASA NAT/ACL changed in the jump from software level 8.2 to 8.3.

During 8.2 and before it the logic was that for a destination address the ACL was checked first and then the UN-NAT was done which essentially untraslated the IP address (and possibly the port) and forwarded the traffic to the correct host on the correct port.

During 8.3 and after it the ordering of NAT and ACL was changed as the NAT was redone. Now for a destination address the UN-NAT is done first and then the ACL check is performed. This leads to the situation that you actually have to allow traffic from the external network to the local IP address and the local port.

So you probably have something like this

object network SERVER

host

nat (inside,outside) static interface service tcp 443 8443

or

object network SERVER

host

nat (inside,outside) static service tcp 443 8443

So now your ACL rule should be

access-list permit tcp any object SERVER eq 443

as it matches the

access-list permit tcp any eq

Hope this helps

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The ASA NAT/ACL changed in the jump from software level 8.2 to 8.3.

During 8.2 and before it the logic was that for a destination address the ACL was checked first and then the UN-NAT was done which essentially untraslated the IP address (and possibly the port) and forwarded the traffic to the correct host on the correct port.

During 8.3 and after it the ordering of NAT and ACL was changed as the NAT was redone. Now for a destination address the UN-NAT is done first and then the ACL check is performed. This leads to the situation that you actually have to allow traffic from the external network to the local IP address and the local port.

So you probably have something like this

object network SERVER

host

nat (inside,outside) static interface service tcp 443 8443

or

object network SERVER

host

nat (inside,outside) static service tcp 443 8443

So now your ACL rule should be

access-list permit tcp any object SERVER eq 443

as it matches the

access-list permit tcp any eq

Hope this helps

- Jouni

johnc
Level 1
Level 1

Hi,

Thanks for the swift reply.  Definitely makes clear what's going on and why the config is what it is. Beyond that, it helps my general understanding of how things are put together in the 5505.

Many thanks

Regards

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: