Nat – ASA NAT & ACL question

aclcisco-asanat;

object network obj-10.15.X.Y
 host 10.15.X.X
 nat (inside,outside) static 1.1.1.1

sh xlate | in 1.1.1.1                 
NAT from inside:10.15.X.Y to outside:1.1.1.1

access-list External_Access extended permit ip object-group WhiteList host 10.15.X.Y

applied on the outside interface – in bound.

I am trying to access the public IP address (1.1.1.1) from one of the IP addresses in the object-group Whitelist.

Is the above ACL the correct one since I already have the NAT in place?

Or should I use something like:

access-list External_Access extended permit ip object-group WhiteList host 1.1.1.1

Best Answer

Since ASA 8.3 code, the interface ACLs expect the real-ip in each statement.

In your example, your real-ip is 10.15.x.x.

As such, your ACL entry will have to look like this:

access-list External_Access extended permit ip object-group WhiteList host 10.15.x.x

Alternatively, and I think more easily, you can just use the object reference directly in the ACL statement:

access-list External_Access extended permit ip object-group WhiteList object obj-10.15.X.Y
                                                                      ^^^^^^^^^^^^^^^^^^^^

Another way of looking at it is in 8.3+ code, the NAT happens before the ACL. In 8.2- code, the NAT happens after the ACL.

Related Topic