Ip Addresses Used For Extended Acls When You Use Nat; Time-Based Aces - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
About ACLs
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE,
then IP and ARP traffic is denied; only physical protocol traffic, such as auto-negotiation, is still
allowed.
IP Addresses Used for Extended ACLs When You Use NAT
When you use NAT or PAT, you are translating addresses or ports, typically mapping between internal
and external addresses. If you need to create an extended ACL that applies to addresses or ports that have
been translated, you need to determine whether to use the real (untranslated) addresses or ports or the
mapped ones. The requirement differs by feature.
Using the real address and port means that if the NAT configuration changes, you do not need to change
the ACLs.
Features That Use Real IP Addresses
The following commands and features use real IP addresses in the ACLs, even if the address as seen on
an interface is the mapped address:
•
•
•
•
•
For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly routable IP
address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to access the inside
server needs to reference the server's real IP address (10.1.1.5), and not the mapped address
(209.165.201.5).
hostname(config)# object network server1
hostname(config-network-object)# host 10.1.1.5
hostname(config-network-object)# nat (inside,outside) static 209.165.201.5
hostname(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.5 eq www
hostname(config)# access-group OUTSIDE in interface outside
Features That Use Mapped IP Addresses
The following features use ACLs, but these ACLs use the mapped values as seen on an interface:
•
•
•
•
•
Time-Based ACEs
You can apply time range objects to extended and webtype ACEs so that the rules are active for specific
time periods only. These types of rules let you differentiate between activity that is acceptable at certain
times of the day but that is unacceptable at other times. For example, you could provide additional
Cisco ASA Series Firewall CLI Configuration Guide
3-4
Access Rules (extended ACLs referenced by the access-group command)
Service Policy Rules (Modular Policy Framework match access-list command)
Botnet Traffic Filter traffic classification (dynamic-filter enable classify-list command)
AAA Rules (aaa ... match commands)
WCCP (wccp redirect-list group-list command)
IPsec ACLs
capture command ACLs
Per-user ACLs
Routing protocol ACLs
All other feature ACLs.
Chapter 3
Access Control Lists
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
