Thursday, April 20, 2017

Static inside NAT On Cisco ASA

Static inside NAT creates permanent, fixed translations between a local address and a global address even after reboots and have no idle timer leading to expiration

Because static translation always stays active, hosts from less secure networks can initiate communications to  the statically translated local hosts, as long as the access list rules on the ASA permit such traffic

Recall that the following pieces of information are required every time you want to configure NAT on Cisco ASA :
  •  original source IP address (and port) in the packet
  • interface where the original packet enters the ASA (ingress interface)
  • interface where the packet will exit the ASA (egress interface)
  •  translated address (and, optionally, port) to insert into the packet

Tuesday, April 18, 2017

Cisco objects group Vs simple access-list

Let's use a configuration example to illustrate the difference betwwen "object group" and "simple ACL" configuration. In this example,  "simple access-list" have been used first and later "object group". At the end of this post, we will clarify the difference.

Tasks :

The example is about restricting several hosts having the following respective ip addresses 10.1.1.4, 10.1.1.78 and 10.1.1.89, located on the inside network  from accessing several web servers (209.165.201.29,  209.165.201.16 and  209.165.201.78) . All other traffic is allowed.