Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Reason paradigm changes in NAT & ACL cisco ASA 8.3, 8.4 and later

Dear Guys,

Based on

https://supportforums.cisco.com/docs/DOC-12690

Cisco changes their paradigm in ACL and NAT configuration. They use "REAL-IP" address in ACL configuration.

My question is why they changes their paradigm,

Based on Tochukwu Iwuora answer, it for flexibility in NAT use, in a  situation where the mapped address in a NAT rule is modified there will  not be any need to change the access-lists.

But i think it will cause confusion especially for network admin

Is there any other purpose or benefits (official purpose)?

BR

Rizal Ferdiyan

4 REPLIES
Cisco Employee

Reason paradigm changes in NAT & ACL cisco ASA 8.3, 8.4 and late

It actually allows for more configuration settings within NAT, eg: this version now allows destination NAT as well, ie: you can configure both source and destination NAT at the same time whilst the older version doesn't support that.

ACL can now be configured with the object (for NAT) instead of just an ip address or object-group.Since the object (for NAT) is real IP, it is easier to just reference that in the ACL compared to having to actually configure the mapped IP on ACL.

New Member

Reason paradigm changes in NAT & ACL cisco ASA 8.3, 8.4 and late

Dear Jennifer,

Thank U for your answer, it really give me a "hint"

But, how about the ASA traffic flow,

AFAIK traffric flow for traffic come to ASA (both from outside and inside) is like this : ACL first then NAT.

With this NEW paradigm, is traffic flow change ?

Example for traffic come from outside :

NAT will be check first then ACL outside then ACL inside ?

Just cuious

BR

Rizal Ferdiyan

Cisco Employee

Reason paradigm changes in NAT & ACL cisco ASA 8.3, 8.4 and late

Traffic flow remains the same, ACL will be check first, then translation will happen after. Since it is either referring to the object, or it has an ip address of an object within the NAT statement, it knows to check the correct IP Address.

Red

Reason paradigm changes in NAT & ACL cisco ASA 8.3, 8.4 and late

Hi Rizal,

I completely agree with Jennifer's explanantion. The NAT is to provide more flexibility options with the newer codes. Although might be confusing in the starting but once you understand it, starts getting better.

In the newer codes, the traffic flow has definitely changed a bit, in the sense, now the NAT statement is hit first or processed first by the ASA, and then the ACL and thats the reason for real ip being used in the ACL. You can also verify that by the packet tracer command, it should give you the flow.

Also, the new NAT is better in the way, that if you at any particular point of time want to change the public ip for any server or machine, you only need to make the change for that object in the NAT statement, since the ACL has the real ip, so it saves you a overhead if there are a lot of servers.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
806
Views
0
Helpful
4
Replies
CreatePlease to create content