Feb 8, 2013

NAT Exemption for intra-interface traffic

Both sites A and B have IPsec L2L tunnels to HQ ASA. Remote users send traffic to the Web through the VPN tunnels and also communicate with each other.

HQ ASA has dynamic PAT rules to translate traffic coming from remote sites using the outside interface IP address before routing the traffic to the Web. It is also configured to allow intra-interface traffic:


nat (outside) 1 10.2.2.0 255.255.255.0
nat (outside) 1 10.3.3.0 255.255.255.0
nat (inside) 1 0 0
global (outside) 1 interface
same-security-traffic permit intra-interface


For traffic coming from a higher security level interface to a lower one (outbound traffic), you don't need to create a rule to exempt returning traffic from NAT:

Source: 172.16.1.0/24 (inside)
Destination: 10.2.2.0/24 (outside)

access-list inside-nonat permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list inside-nonat

However, if source and destination are routed through the same interface, you need to create two ACEs, otherwise returning traffic would match the PAT rule:

Read more »
Posted by at 12:04 AM 4 comments
Categories: , , ,

Feb 6, 2013

Multi-context FWSM ACL partition


When you convert a FWSM from single to multiple mode (security contexts), the system creates pools of resources (aka partitions). These pools limit the number of rules (ACEs, AAA rules, Policy NAT, and others) that can be created on each context. The FWSM uses 12 partitions by default (maximum value) and each context is assigned to its own partition, unless you have more than twelve contexts. In this case, the system will assign more than one context to each partition, sharing resources between them.

Read more »
Posted by at 11:52 PM 0 comments
Categories: , , ,
Subscribe to: Posts (Atom)