Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

nat vs acl rule

I'm trying to understand why an acl rule would be enabled in the firewall (outside int) for any source to a specific host on the inside using https, while there is not nat for this host and nothing pointing to it from the outside (dns records etc)?

What purpose would a rule like this server?

Everyone's tags (1)
Super Bronze

Re: nat vs acl rule


So if I understood you correctly you have a rule on the ACL that is attached to your ASAs external interface that points to a local IP address on your LAN?

First with regards to the NAT I would like to confirm which ASA software version you are using? 8.2 (and below) or 8.3 (and newer)? Reason is that naturally in the newer softwares the traffic is always allowed to the local IP address even when there is a NAT configured. Though then again you said that there is no NAT for this internal host towards the external network.

Only thing I can really think of right now is that you might be controlling traffic inbound from some VPN connection to this server. In this situation it would be natural to allow the traffic to the local IP address though I would have to say that source "any" in that case would not really be ideal (atleast in the new software)

If you are even controlling traffic incoming from VPN connections you would be using non  default setting on the ASA which would be

no sysopt connection permit-vpn

You can check if this is configured with the following command

show run all sysopt

If you see the first command in the output it means your external ACL controls connections coming from all VPN connections. If you see the same command WITHOUT the "no" then it means that all connections from VPNs bypass the external interface ACL.

So to me it seems the following

  • If you are using software 8.3 (or newer) and there is no NAT configurations for this internal host then its either a useless rule OR there its a rule for some VPN connections (if the traffic is controlled in the previously mentioned way)
  • If you are using software 8.2 (or older) then the reason for such rule would probably be related to VPN connections (if the traffic is controlled in the previously mentioned way)
  • Or the rule is some old configuration that has not been deleted or its a missconfigured rule.

Without seeing the configuration this is what I would guess.

You can naturally monitor the connections through your firewall and check does the ACL have any hitcount?

- Jouni

CreatePlease login to create content