Hi Jouni,

Thank you and appreciate your quick response.

Below is what I had in my old config

access-list NAT-PORT extended permit tcp host 10.10.10.1 host 74.X.X.X eq https

global (outside) 1 interface
nat (inside) 1 access-list NAT-PORT

So this denied all other internet access for the server and allowed only https to 74.X

But currently in 8.4 I have to allow the server to access specific URL say google.com on port 80 &443 and block all other internet access.

I do have the DNS lookups and FQDN object configured. However I tried applying the FQDN on the NAT command and it failed as FQDN could not be applied on NAT. :) realised then

Also if you are suggesting to use ACL's how do I ensure that I don't disrupt any existing connectivities as I have a big network behind the ASA and also no ACL's applied on the inside interface.

Sent from Cisco Technical Support iPad App

Hi,

Ok, so you are basically doing Dynamic Policy PAT for specific connections no other connections have translations.

Naturally you can configure exactly the same NAT configuration on the new software too if you use the destination IP address rather than name. As you noticed, you are not able to use the FQDN in the NAT configurations.

Just for examples sake, if you wanted to simulate the above NAT configuration in the new format it would be this

object network HOST-74.x.x.x

host 74.x.x.x

object network HOST-10.10.10.1

host 10.10.10.1

object service HTTPS

service tcp destination eq https

nat (inside,outside) after-auto source dynamic HOST-10.10.10.1 interface destination static HOST-74.x.x.x service HTTPS HTTPS

The above "object" are named like that for examples sake. They could be something else also. The above configuration should do Dynamic Policy PAT and essentially only translate the source IP address when its connecting to the specific destination IP address with the specific service/port.

If you are not using interface ACLs at all and wanted to start using them then I think you would first need to go through the current configurations and confirm where the hosts behind this interface are allowed to connect to and where they should not be able to connect to and build the ACL based on this and later attach it to the interface.

I imagine that if you have multiple local interfaces on the firewall then the "security-level" value on your current firewall defines towards which interfaces networks the traffic is allowed from behind this source interface. I would also imagine that you are not doing any NAT between the local interfaces (other than Identity NAT perhaps) so that should not control the local traffic.

In addition to the above I imagine that you would have to go through the external translations to see what is allowed for the hosts since you are using these NAT configurations to control access.

To be honest it would just simply require work to go through the setup and how it works for you to be able to determine the contents of the ACL needed to achieve same results as with the current NAT or "security-level" settings.

- Jouni

Thank you Jouni. You have been kind enough to detail every aspect.

Your explanation resolves the NAT using IP. I mentioned it earlier because that was what I had on the older version.

But currently the requirement is to use the URL instead of the IP since the URL is mapped with multiple ip's and it's not possible to define exact ip's. So we have to define a xyz.com and enable the NAT in a way that only when the server tries to communicate to xyz.com over port 80/443 it should be translated and allowed to go out.

Can we accomplish this ?



Sent from Cisco Technical Support iPad App