09-10-2010 02:30 PM
I have two Cisco ASA 5510 devices terminating multiple site to site VPNs. I am trying to creat a new nat0 rule on the outside interface which will allow traffic to pass from one VPN to the other. When I try to add a specific group oject to a different oject group it causes the device to reboot and fail over. I also tried to create a whole ne object group and use that in a seperate NO_NAT acl but I get the same result. Has anyone else experienced this?
The device is running version 8.2(1) with ASDM 6.2(3)
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
09-10-2010 03:27 PM
Sounds like a very ugly bug.
You say the ASA reboots, it doesn't hang.
I'll try to get away from 8.2(1) to 8.2(2) and see if the problem persists.
Federico.
09-13-2010 07:58 AM
I researched the problem further and discovered the problem was with two specific objects that I was trying to add to the object groups were giving me this problem. Could it be the configuration of these specific object groups that is causing this issue, and if so what should I look for?
09-13-2010 08:11 AM
I imagine that it mith be related to the specific consequences of having those objects added to the configuration but I can't think of an object that would cause that...
Can you share the relevant part of your configuration with the objects that you were adding and perhaps we can figure why this is happening.
Federico.
09-13-2010 08:19 AM
Hello,
Do you have these objects groups as part of any access-lists? Can you
reproduce the issue? If yes, can you try to remove the corresponding
access-list line and then change the object-group and see if that makes any
difference? It could be related to a software defect but we need to identify
the exact root cause before determining the bug ID.
Regards,
NT
09-13-2010 08:45 AM
ACL = access-list NO_NAT_SITE-TO-SITE extended permit ip object-group Acme_Global_NO_NAT object-group Acme_Global_NO_NAT
Group I am trying to add to:
object-group network Acme_Global_NO_NAT
network-object xx.0.0.0 255.0.0.0
network-object xxx.16.0.0 255.240.0.0
network-object xxx.168.0.0 255.255.0.0
network-object xx.45.18.32 255.255.255.224
network-object xx.45.115.32 255.255.255.224
network-object xx.45.18.0 255.255.255.224
network-object xx.45.112.224 255.255.255.224
network-object xxx.177.196.128 255.255.255.192
network-object host xxx.177.196.241
network-object xxx.40.49.0 255.255.255.0
network-object xxx.40.50.0 255.255.254.0
network-object xxx.40.53.0 255.255.255.0
network-object xxx.40.54.0 255.255.255.0
network-object xxx.40.55.0 255.255.255.0
network-object xxx.40.56.0 255.255.248.0
Group Object I am trying to add:
object-group network AcmeCom
network-object xxx.189.35.128 255.255.255.192
I also have the same problem with these two objects
ACL =a ccess-list NO_NAT_SITE-TO-SITE extended permit ip object-group Acme_Remote_Asia object-group AcmeCom
object-group network Acme_Remote_Asia
group-object Acme_Singapore
group-object Acme_Taiwan
group-object Acme_Malaysia
group-object Acme_India
group-object Acme_Hong_Kong_2
group-object Acme_Hong_Kong_1
group-object Acme_Thailand
group-object Acme_China_1
group-object Acme_New_Zealand
object-group network Acme_China_2
description xx.180.30.128/27_Office
network-object xx.180.30.128 255.255.255.224
Message was edited by: Lloyd Tobias
09-13-2010 02:17 PM
The problem is when you add those IPs (in the object-group).
Is that object-group being referenced by a NAT command or ACL somewhere?
Are the IPs that you're adding to the object-group part of the router itself (represents an IP from the router)?
Federico.
09-13-2010 02:23 PM
No they are both related to remote networks connected thro
ugh VPN so the are ralated to NAT rules once they are added to
the individual groups.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide