[c-nsp] ASA 8.4 NAT weirdness...

Ryan West rwest at zyedge.com
Sun Feb 17 12:19:05 EST 2013


On Sun, Feb 17, 2013 at 16:36:22, Jeff Kell wrote:
> Subject: [c-nsp] ASA 8.4 NAT weirdness...
> 
> OK, now have ASA up on 8.4 software, and boy is it ever weird :)
> 
> We do NAT extensively (all 1918 addressing inside).  For public-facing 
> servers, primarily web servers, we made a habit of translating them 
> into a public /24 network (say x.y.z.*).  The "firewall" atrributes 
> for this was to simply permit http and https for x.y.z.*/24 inbound on 
> the outside interface, and the rest took care of itself.
> 
> Along comes 8.4... and it "includes" NAT with the network object 
> definitions... and the "migration" effort did this:
> 
> * Put all the static NATs back into the inside object definition,
> * Generated a "permit http" and a "permit https" for EVERY SINGLE 
> SERVER we had in the subnet
> 
> Our configuration increased by an order of magnitude :(  And it 
> doesn't appear that explicitly adding the original permit into the 
> list even works (it sits in the configuration above the generated 
> individuals, but doesn't get any hits, they fall through to the generated mess).
> 

If you were running policy based NAT, you can reuse your original rules, but you'll need to use twice NAT and object groups to accomplish that.  As for the ACL mess, you should note that switching to 8.3+ NAT,  you need to reference the internal address of the server in your outside ACL.  Try switching those object groups around or referencing the internal address and you'll start to see the hits again.

-ryan



More information about the cisco-nsp mailing list