object network obj-10.15.X.Y
host 10.15.X.X
nat (inside,outside) static 1.1.1.1
sh xlate | in 1.1.1.1
NAT from inside:10.15.X.Y to outside:1.1.1.1
access-list External_Access extended permit ip object-group WhiteList host 10.15.X.Y
applied on the outside interface – in bound.
I am trying to access the public IP address (1.1.1.1) from one of the IP addresses in the object-group Whitelist.
Is the above ACL the correct one since I already have the NAT in place?
Or should I use something like:
access-list External_Access extended permit ip object-group WhiteList host 1.1.1.1
Best Answer
Since ASA 8.3 code, the interface ACLs expect the real-ip in each statement.
In your example, your real-ip is
10.15.x.x
.As such, your ACL entry will have to look like this:
Alternatively, and I think more easily, you can just use the object reference directly in the ACL statement:
Another way of looking at it is in 8.3+ code, the NAT happens before the ACL. In 8.2- code, the NAT happens after the ACL.