[c-nsp] ASA 8.4 NAT weirdness...

Jeff Kell jeff-kell at utc.edu
Sun Feb 17 11:36:22 EST 2013

OK, now have ASA up on 8.4 software, and boy is it ever weird :)

We do NAT extensively (all 1918 addressing inside).  For public-facing
servers, primarily web servers, we made a habit of translating them into
a public /24 network (say x.y.z.*).  The "firewall" atrributes for this
was to simply permit http and https for x.y.z.*/24 inbound on the
outside interface, and the rest took care of itself.

Along comes 8.4... and it "includes" NAT with the network object
definitions... and the "migration" effort did this:

* Put all the static NATs back into the inside object definition,
* Generated a "permit http" and a "permit https" for EVERY SINGLE SERVER
we had in the subnet

Our configuration increased by an order of magnitude :(  And it doesn't
appear that explicitly adding the original permit into the list even
works (it sits in the configuration above the generated individuals, but
doesn't get any hits, they fall through to the generated mess).

This is the most bizarre "update" I've ever seen :(


More information about the cisco-nsp mailing list