Nat exemptions, basically. A few days ago we moved the failover interface from management0/0 to one of the then-unused gigabitethernet ports. The change went fine, but afterwards all the nat statements of the above format (i.e. with the destination interface set to "any") had disappeared from the configuration. all other NAT statements remained intact. No other problems were in evidence.
The source interfaces of the affected nat statements varied.
Neither of the interfaces involved in the failover interface change had NAT statements applied to them at the time the changes were made.
Why would changing the failover interface selectively cause nats with destination interface set to "any" to disappear?
Problem with NAT statements disappearing on 5540 8.4(3)
Let me start saying the "ANY" keyword on a nat statement is the worst command you can put on a NAT, I know that when you do the upgrade this will hapen automatically almost all of the time, but you should change it as soon as you have it on the right version. This because you will experience a lot of ARP issues as the Nat will take place on ANY interface and that is not the purpose of NAT.
Now why this changed after you changed the failover interface, hmmm I would say this happend due to the fact that the any keyword was being used by all the interfaces ( except the managment) now after you change the failover interface the ASA will recognize the gigabit ethernet as the failover interface and will know that the interface will not be used for any nat so the " ANY' went away and as there is no " any except gigabit x/x( failover one) the command dissapeard.
Remember if you have any "any" keyword on a nat, please remove it before it is too late.
Do rate all the helpful posts
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :