Cisco Cisco ASA for Nexus 1000V Series Switch Guía De Instalación
4
Cisco ASA 5500 Migration to Version 8.3
OL-22176-01
Real IP Addresses in Access List Migration
Real IP Addresses in Access List Migration
When using NAT or PAT, mapped addresses and ports are no longer required in an access list for several
features. You should now always use the real, untranslated addresses and ports for these features. Using
the real address and port means that if the NAT configuration changes, you do not need to change the
access lists. This section includes the following topics:
features. You should now always use the real, untranslated addresses and ports for these features. Using
the real address and port means that if the NAT configuration changes, you do not need to change the
access lists. This section includes the following topics:
•
•
•
•
•
•
Features That Use Real IP Addresses
The following commands and features now use real IP addresses in the access lists. All of the access-list
commands used for these features are automatically migrated unless otherwise noted. For access lists
that use network object groups (the object-group network command), the IP addresses within the object
group are migrated to the real IP addresses.
commands used for these features are automatically migrated unless otherwise noted. For access lists
that use network object groups (the object-group network command), the IP addresses within the object
group are migrated to the real IP addresses.
•
access-group command
•
Modular Policy Framework match access-list command
•
Botnet Traffic Filter dynamic-filter enable classify-list command
•
AAA aaa ... match commands
•
WCCP wccp redirect-list group-list command
Note
The WCCP wccp redirect-list group-list command is not automatically migrated. The
WCCP access list is downloaded after startup, so automatic migration cannot occur. You
need to manually change the wccp redirect-list group-list command to use an access list
with the real IP address.
WCCP access list is downloaded after startup, so automatic migration cannot occur. You
need to manually change the wccp redirect-list group-list command to use an access list
with the real IP address.
For example, formerly if you wanted to allow an outside host to access an inside host that used NAT, you
applied an inbound access list on the outside interface using the access-group command. In this
scenario, you needed to specify the mapped address of the inside host in the access list because that
address was the address that can be used on the outside network. Starting in 8.3, you need to specify the
real address in the access list.
applied an inbound access list on the outside interface using the access-group command. In this
scenario, you needed to specify the mapped address of the inside host in the access list because that
address was the address that can be used on the outside network. Starting in 8.3, you need to specify the
real address in the access list.
ASDM
Real IP addresses are now used in the following features instead of mapped addresses:
•
Access Rules
•
AAA Rules
•
Service Policy Rules
•
Botnet Traffic Filter classification
•
WCCP redirection