Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 8.3 real Ip address in ACL

if ASA 8.3 uses real IP address in ACL, why in this example "ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example" uses the public (natted) ip address for the smtp server ACL?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

ASA 8.3 real Ip address in ACL

I agree !!

pre-8.3 Configuration

static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255

!

access-list outside_in extended permit tcp any host 209.165.201.15

access-group outside_in in interface outside

8.3 Configuration

object network obj-10.1.1.6
  host 10.1.1.6
  nat (inside,outside) static 209.165.201.15

!

access-list outside_in extended permit tcp any host 10.1.1.6

access-group outside_in in interface outside

6 REPLIES

ASA 8.3 real Ip address in ACL

Whatever will be the SMTP server IP on internet will have to add that IP on outside ACL to allow on port 25. It could be NAT IP or Public IP as well.

Can you post the statement from configuration where you have doubt?

Thanks

Ajay

Community Member

Re: ASA 8.3 real Ip address in ACL

In the example:

access−list smtp extended permit tcp any host 209.164.3.5 eq smtp

object network obj−192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic 209.164.3.129

Why doesn't use the real ip address in the acl?

ASA 8.3 real Ip address in ACL


Ok.

That traffic is originated from inside hosts. You should focus on -

object network obj-192.168.2.57
  host 192.168.2.57
  nat (inside,outside) static 209.164.3.5

For your SMTP question SMTP server is mapped one to one NAT so public identity would be 209.164.3.5 so ofcourse that is allowed in ACL.

Regarding configuration you have post has nothing to do with SMTP server that have mentioned the whole subnet /24 for outbound traffic.

NAT has order to process - nonat >static nat > dynamic nat> static pat >dynamic pat > like this.

Hope this help.

Thanks

Ajay

Community Member

ASA 8.3 real Ip address in ACL

OK, sorry, of course, the smtp-server nat was:

object network obj−192.168.2.57

host 192.168.2.57

nat (inside,outside) static 209.164.3.5

But in the ACL is using public IP, not the real ip address as announces Release Notes or migration guide, which states:

"For example, formerly if you wanted to allow an outside host to access an inside host that used NAT, you

applied an inbound access list on the outside interface using the access-group command. In this

scenario, you needed to specify the mapped address of the inside host in the access list because that

address was the address that can be used on the outside network. Starting in 8.3, you need to specify the

real address in the access list."

In this Cisco Support Channel video (minute 3), the outside ACL uses the real ip address, not the public-natted one

http://www.youtube.com/watch?v=R6TMlH9U2pE&feature=plcp&context=C34bcf43UDOEgsToPDskINRv5_oXhrk7jRahbPD_Em

So my question is:

In the ACL, do I have to use the real ip (like the video) or the natted-ip (like the smtp example)?

Thanks

Community Member

ASA 8.3 real Ip address in ACL

Hi

Use real IP address:

e.g.

access−list smtp extended permit tcp any host 192.168.2.57 eq smtp

ASA 8.3 real Ip address in ACL

I agree !!

pre-8.3 Configuration

static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255

!

access-list outside_in extended permit tcp any host 209.165.201.15

access-group outside_in in interface outside

8.3 Configuration

object network obj-10.1.1.6
  host 10.1.1.6
  nat (inside,outside) static 209.165.201.15

!

access-list outside_in extended permit tcp any host 10.1.1.6

access-group outside_in in interface outside

2172
Views
11
Helpful
6
Replies
CreatePlease to create content