Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Tricky ACL issue

Hi Guys,

facing an issue here and need some expert knowhow....

I have several interfaces on my ASA  that is also connected with S2S  to the HQ office...

i have 3 /24 subnets heavily subneted inbetween interfaces and have a collapsed core as well so anything other than playing with ACLs is out of the question.

so  subnet in question  attached to one of ASAs interfaces (nameif:public_NAT) and has  a 10.y.x.z/29  address  (private)  i have 3 servers on it.  I use static 1-1 NAT  to each server from the  external range that i have with my ISP (cant route it in as ISP is being ...@#$@D#F).

now the requirement i have is to allow  access to all 3 servers but only by using their external globally routed NATs. and block any access to their private IP addresses.

question is:  can i use  an "outbound" ACL  on the  public_NAT  interface  saying - deny ip  any  to private ip addresses of the servers inside that subnet.

and then allow  on other interfaces to the external IPs residing on the WAN interface of the firewall ?

also  with S2S if that  subnet is a part of larger encryption domain  is my only choice will be to remove that /29 subnet from the encr. domain ACL ?

Community Member

Tricky ACL issue

As I understannd


If you have NAT-control enabled on the ASA it needs a NAT configured for the inside server to be accessible from outside.

if the private ip is and public ip is and you have the following configuration

statis (inside,outside) netmask

access-list outside permit ip any host

access-group outside in interface outside

With the above configuration users can access the server only on the public ip address on outside and will not be able to access the private ip address at all. This is the default behavior of the ASA.

You do not need any other outbound ACL on the outside interface


Community Member

Tricky ACL issue

hmm i thought on new ASAs above 8.3 NAT comes first... and if so then the ACL on the outside wont see the external IP...

also how will that make my LAN users use the external IP addresses and not just intervlan ?

CreatePlease to create content