02-09-2014 09:28 AM - edited 03-11-2019 08:43 PM
Hi,
I have got an ASA 5505 set up in front of a reverse proxy for Exch 2013. I currently hit the outside via https://mymail.mydomain.com. That works just fine. There is a translation from port 8443 to 443 using Object NAT.
This question relates to the associated access rules.
I have one access rule that says, Source=any, Destn=myproxy, Destn Service = tcp/https
Everything works BUT... I would have thought that the access rule should be based on requesting access to port 8443... So, it appears as though:
- packet arrives on port 8443 and is translated to port 443, destn IP 10.0.0.n
- the firewall then says, "Aha, HTTPS packet for destn IP 10.0.0.n, that's fine. Pass friend."
Whereas what I think I "want" is
- packet arrives on port 8443 and is HTTPS and is passed by the firewall
and then the NAT runs
The lack of obvious link between the changed port and the access rule makes me uneasy.
Am I missing something and should just relax?
Thanks
Solved! Go to Solution.
02-09-2014 09:35 AM
Hi,
The ASA NAT/ACL changed in the jump from software level 8.2 to 8.3.
During 8.2 and before it the logic was that for a destination address the ACL was checked first and then the UN-NAT was done which essentially untraslated the IP address (and possibly the port) and forwarded the traffic to the correct host on the correct port.
During 8.3 and after it the ordering of NAT and ACL was changed as the NAT was redone. Now for a destination address the UN-NAT is done first and then the ACL check is performed. This leads to the situation that you actually have to allow traffic from the external network to the local IP address and the local port.
So you probably have something like this
object network SERVER
host
nat (inside,outside) static interface service tcp 443 8443
or
object network SERVER
host
nat (inside,outside) static
So now your ACL rule should be
access-list
as it matches the
access-list
Hope this helps
- Jouni
02-09-2014 09:35 AM
Hi,
The ASA NAT/ACL changed in the jump from software level 8.2 to 8.3.
During 8.2 and before it the logic was that for a destination address the ACL was checked first and then the UN-NAT was done which essentially untraslated the IP address (and possibly the port) and forwarded the traffic to the correct host on the correct port.
During 8.3 and after it the ordering of NAT and ACL was changed as the NAT was redone. Now for a destination address the UN-NAT is done first and then the ACL check is performed. This leads to the situation that you actually have to allow traffic from the external network to the local IP address and the local port.
So you probably have something like this
object network SERVER
host
nat (inside,outside) static interface service tcp 443 8443
or
object network SERVER
host
nat (inside,outside) static
So now your ACL rule should be
access-list
as it matches the
access-list
Hope this helps
- Jouni
02-09-2014 11:08 AM
Hi,
Thanks for the swift reply. Definitely makes clear what's going on and why the config is what it is. Beyond that, it helps my general understanding of how things are put together in the 5505.
Many thanks
Regards
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: