Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

NAT on the ASA - Where to apply the ACL

Hi,

I have 3 VLANs on my ASA on the inside which I want to NAT out - e.g I have the following

 

access-list Inside_To_Out extended permit ip object-group DynamicNatInside any

 

object-group network DynamicNatInside

 network-object 192.168.127.0 255.255.255.0
 network-object 192.168.128.0 255.255.255.0
 network-object 192.168.129.0 255.255.255.0

 

nat (any,outside) after-auto source dynamic DynamicNatInside interface

access-group Inside_To_Out out interface outside

 

Is this the correct way of doing it above? This does work. I just want to check if I could actually apply ACL on the inside interface permitting to any, rather than the outside interface outbound.

 

Is it possible I could have created an ACL for each VLAN separately (.eg "vlan subne"t permit to any) and assigned this to each VLAN interface inbound, or is this bad practice?

Does my ACL for NAT need to go on the Outside Interface outbound?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

"Is this the correct way of

"Is this the correct way of doing it above? This does work. I just want to check if I could actually apply ACL on the inside interface permitting to any, rather than the outside interface outbound."

The ACL applied outbound is not the standard way of doing things.  Normally you would only apply an ACL in the inbound direction, so in your case you would move the ACL to the inside interface in the inbound direction.  There are very few situations these days where you would have an ACL applied in the outbound direction since the firewalls are stateful.

"Is it possible I could have created an ACL for each VLAN separately (.eg "vlan subne"t permit to any) and assigned this to each VLAN interface inbound, or is this bad practice?"

Yes, and again this is a standard way of doing things.

"Does my ACL for NAT need to go on the Outside Interface outbound?"

No, see my answer to your first question.

--

Please remember to select a correct answer and rate

-- Please remember to rate and select a correct answer
1 REPLY
VIP Green

"Is this the correct way of

"Is this the correct way of doing it above? This does work. I just want to check if I could actually apply ACL on the inside interface permitting to any, rather than the outside interface outbound."

The ACL applied outbound is not the standard way of doing things.  Normally you would only apply an ACL in the inbound direction, so in your case you would move the ACL to the inside interface in the inbound direction.  There are very few situations these days where you would have an ACL applied in the outbound direction since the firewalls are stateful.

"Is it possible I could have created an ACL for each VLAN separately (.eg "vlan subne"t permit to any) and assigned this to each VLAN interface inbound, or is this bad practice?"

Yes, and again this is a standard way of doing things.

"Does my ACL for NAT need to go on the Outside Interface outbound?"

No, see my answer to your first question.

--

Please remember to select a correct answer and rate

-- Please remember to rate and select a correct answer
47
Views
0
Helpful
1
Replies