I have seen in a manual that you can use "interface (interface name)" as the source/destination in an ACL on the ASA. When would you do this? What exactly does it buy you i.e. what does it really give access to?
Actually, it's the same concept. When you have a public address that can change, but you host a web server on the inside, your outside acl needs to allow someone into that address. You don't want to change the address each time your address changes, so you use the interface keyword instead of an address:
static (inside,outside) interface 192.168.1.50
access-list outside permit tcp any interface eq 80
Thank everyone for the examples. I understand why you would use this as the destination especially if you were using DSL where the outside interface could change. But using it as the source still has me stumped. The reason I ask it that we are moving a DMZ from one company to ours and the access-list for their dmz has such statements in it.
Are there any security restrictions on the ldap server that require traffic to come from the address that's assigned to the dmz interface? It *might* be an ldap security thing where they didn't want everything in the dmz talking to it OR they are making requests on behalf of everything in the dmz? Just a thought.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...