Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
thanks in advance,
access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0 access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0 access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0 access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0 access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
Well if you use standard ACL its only check for source address and so all the traffic from the specific source will be Natted okay so in the scenarios like split tunnel ...etc we use mostly extended ACL to differentiate the traffic based on the destination like all the traffic for far end Lan subnet should'nt be Natted while all the other traffic which mean to be for internet should be Natted.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...