In the ASA we have a Nat like:
10.1.1.1:443 -> 9.9.9.9:5443
Meaning that the public ip and port to access the private up through the ASA is via 9.9.9.9
However in the ACL we permit like:
Allow any public source to -> 10.1.1.1:443
So I thought about it for a bit and took it that the order of operations means the ACL is evaluated post-nat
But the documentation I found regarding order of operations states the ACL is evaluated before Nat which makes sense from a security point of view.
So I'm confused, how is the private / real up being evaluated in the ACL (not public IP) ?
Seems someone was confused when they have made config changes to the ASA because it has both private and public allow rules in there and it threw me off 🙃. I had planned to explain using order of operations but that didn't help so I thought to ask here.
remember back in 8.2 -> 8.3 NAT changes. That changed the order of operations, you may be looking at the 8.2 order of operations (plenty of outdated resources on the internet). I had to open a TAC case to figure out the post 8.3 order of operations, This is what they sent me.
Hope this helps
(//)
Thanks :)
So, the NAT is checked before the ACL and then the ACL is matched on post-NAT (eg private IP and NATted layer 4).
Whats the 2nd NAT "NAT IP Header" ?
I think that is where it actually modifies the header if needed before sending the packet. If you go to the Csico Live website you can setup a free account, and watch old presentations. The slide icecream-guy posted is from BRKSEC-3020. They may explain it more during the presentation.
-Otanx