Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
2
Replies

Problem with NAT statements disappearing on 5540 8.4(3)

mat_rouch
Level 1
Level 1

‎04-13-2012 02:21 PM - edited ‎03-11-2019 03:53 PM

Unusual problem with as ASA5540 running 8.4(3).  There are several NAT statements defined.  Some of them are of the format:

"nat (<interface>,any) source static <network-or-group1> <network-or-group1> destination static <network-or-group2> <network-or-group2>"

and

"nat (<interface>,any) source static <network-or-group1> <network-or-group1>"

Nat exemptions, basically.  A few days ago we moved the failover interface from management0/0 to one of the then-unused gigabitethernet ports.  The change went fine, but afterwards all the nat statements of the above format (i.e. with the destination interface set to "any") had disappeared from the configuration.  all other NAT statements remained intact.  No other problems were in evidence.

The source interfaces of the affected nat statements varied. 

Neither of the interfaces involved in the failover interface change had NAT statements applied to them at the time the changes were made.

Why would changing the failover interface selectively cause nats with destination interface set to "any" to disappear?

-Mathew Rouch

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-13-2012 03:11 PM

Hello Mathew,

Let me start saying the "ANY" keyword on a nat statement is the worst command you can put on a NAT, I know that when you do the upgrade this will hapen automatically almost all of the time, but you should change it as soon as you have it on the right version. This because you will experience a lot of ARP issues as the Nat will take place on ANY interface and that is not the purpose of NAT.

Now why this changed after you changed the failover interface, hmmm I would say this happend due to the fact that the any keyword was being used by all the interfaces ( except the managment) now after you change the failover interface the ASA will recognize the gigabit ethernet as the failover interface and will know that the interface will not be used for any nat so the " ANY' went away and as there is no " any except gigabit x/x( failover one) the command dissapeard.

Remember if you have any "any" keyword on a nat, please remove it before it is too late.

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

mat_rouch
Level 1
Level 1
In response to Julio Carvajal

‎04-16-2012 08:22 AM

okay, so presumably to remove the "any" we'd need a nat statement for each destination interface, so the equivalent statements to

"nat (,any) source static destination static "

would be

"nat (,) source static destination static "

"nat (,) source static destination static "

... etc.  Correct?

-Mat

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card