I have an Access Rule and a NAT rule that works fine with on the Security Appliance Software Version 8.0
The rule is as follows:
However, I am having trouble making the same rule work on an ASA running on the Security Appliance Software Version 8.4.
I know that the configuration has changed, I think I am just supposed to create a network object for ath-security and define my access and NAT rules at the same time, but I haven't configured anything on an ASA in years and got a little over my head.
I have it setup as follows:
What am I doing wrong here?
The CORP-OUTSIDE and NM-OUTSIDE are supposed to be different; these are two different ASA's. The XXXX-OUTSIDE is a network object for the outside IP address of each device. CORP-OUTSIDE is on the ASA with the 8.0 software, NM-OUTSIDE is on the ASA with the 8.4 software
show running-config returns the following on ASA with 8.0 software:
static (inside,outside) tcp interface www LVMSecurity www netmask
255.255.255.255
show running-config returns the following on the ASA with the 8.3 software:
object network AthertonSecurity-2.123 nat (inside,outside) static
interface service tcp www www
Using the ASDM Packet Trace tool, I get the following error on the 8.3 ASA:
Info: (sp-security-failed) Slowpath security checks failed
Answer
Figured this out, posting what I believe is the answer:
The problem was with the ACL within the Access Rules settings.
It seems in the 8.3 software the Destination Criteria, Destination: should no longer be the 'outside interface' but the Network Object destination itself.
It seems Cisco switched the configuration from being what seems backwards, to the correct way?
No comments:
Post a Comment