ASA order of operations / ACL rules

[Dieselboy]

In the ASA we have a Nat like:
10.1.1.1:443 -> 9.9.9.9:5443

Meaning that the public ip and port to access the private up through the ASA is via 9.9.9.9

However in the ACL we permit like:

Allow any public source to -> 10.1.1.1:443

So I thought about it for a bit and took it that the order of operations means the ACL is evaluated post-nat

But the documentation I found regarding order of operations states the ACL is evaluated before Nat which makes sense from a security point of view.

So I'm confused, how is the private / real up being evaluated in the ACL (not public IP) ? 

Seems someone was confused when they have made config changes to the ASA because it has both private and public allow rules in there and it threw me off 🙃. I had planned to explain using order of operations but that didn't help so I thought to ask here.

[icecream-guy]

remember back in 8.2 -> 8.3  NAT changes.  That changed the order of operations,  you may be looking at the 8.2 order of operations (plenty of outdated resources on the internet).  I had to open a TAC case to figure out the post 8.3 order of operations, This is what they sent me.

Hope this helps

[Dieselboy]

Thanks

So, the NAT is checked before the ACL and then the ACL is matched on post-NAT (eg private IP and NATted layer 4).

Whats the 2nd NAT "NAT IP Header" ?

[Otanx]

I think that is where it actually modifies the header if needed before sending the packet. If you go to the Csico Live website you can setup a free account, and watch old presentations. The slide icecream-guy posted is from BRKSEC-3020. They may explain it more during the presentation.

-Otanx