11-04-2013 10:26 AM - edited 03-11-2019 08:00 PM
The ASA ran an upgrade of the config. I ended up with a few things I am not understanding.
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,dmz) dynamic obj-0.0.0.0
object network obj_any-03
nat (inside,dmz1) dynamic obj-0.0.0.0
object network obj_any-04
nat (dmz,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (dmz1,outside) dynamic obj-0.0.0.0
object network obj_any-06
nat (dmz1,dmz) dynamic obj-0.0.0.0
What does this all mean?
Thank you
11-04-2013 10:36 AM
That means that you just realized what probably every admin who upgraded the ASA realized before ... The automatic upgrate function (at least for the config migration <8.3 --> >=8.3) nearly always generates a non-usable config.
If your NAT-config is not too complex you should start over and build all NAT rules from scratch.
For you particular question: Have you removed the "nat-control" command before upgrading? If I remember right I also had a similar config when I forgot to remove that command before going to 8.3/8.4.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2013 12:52 PM
Unfortunately I did not do the upgrade. Since I had never done an upgrade before we brought in a consultant. I do believe Nat-Control was left in the config.
Is it safe to remove these lines of code? I cant figure out what they are for.
The ASA is working without issue but I don’t like to have unnecessary config if not needed.
I have this in place.
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic external IP
11-04-2013 02:33 PM
I assume that these nat-statements can be removed, but that is dependant on the rest of the NAT-config. What they do is NAT-Excemption for all traffic that has no dedicated NAT-rule. Normally you don't need them as NAT-excemption is configured in NAT-section 1 (manual NAT before the object-NAT).
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2013 07:23 PM
Well I don´t think that you should remove the NAT commands in place, these are PATs that translate the networks behind the first named interface to the second named interface to the IP that is associated to the interface
On disk0 you should have a backup configuration but if you don´t have it there then what I would suggest is posting the complete configuration of before and after the upgrade. Either way if you remove any NAT command and something breaks you will know that is something is wrong
11-05-2013 02:01 AM
I just thought again about the meaning of this rule and remembered what it did:
The translation is to a host address of 0.0.0.0/32 which in fact is invalid (it does not translate to the interface address). It enforces the behaviour of "nat-control" after the migration. If no other rule matches the traffic, then this rule is used and drops the traffic because no translation can be build (you can't translate to the address 0.0.0.0).
If these lines are in the config after the migration, then every trafic through the ASA needs a dedicated NAT-rule as it was in the old PIX-days. There it was ment as a secondary access-control mechanism but that's quite outdated nowadays where the ASA often sits in internal networks where no NAT is needed.
So my recommendation is:
Remove these lines, but at the same time make sure that your config doesn't depend on this dropping to restrict the traffic. When you remove these lines, only allowed traffic should have permit statements in the Access-Lists.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-05-2013 09:04 AM
Can you get us the configurations that I requested?
11-06-2013 02:56 PM
Do you still need the assistance?
Please rate the assistance.
11-09-2013 09:28 PM
Please rate the assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide