topic It gives that result when the in Network Security

ASA route clean up

johnlloyd_13 — Tue, 12 Mar 2019 09:41:45 GMT

hi,

i need to do some ASA clean which includes ACL, NAT and objects.

i've been searching around and noticed these are the common ASA config clean up items.

i'm not sure if ASA has a way of checking 'active' routes (usually static). my question, is there a way to check via CLI or ASDM?

can this be considered a 'best practice' for an ASA config clean up?

i've installed Solarwinds' FSM and trying to play around with it. any advice on this tool? or can someone give his view/recommendation?

can someone able to share his/her experience when doing an ASA clean up? any best practice or recommendations? links?

I've used FSM once or twice

Marvin Rhoads — Thu, 13 Jul 2017 08:48:07 GMT

I've used FSM once or twice years back even before SolarWinds acquired it (used to be called FirePac) from Athena. I liked it but now i see SolarWinds is discontinuing it. 😞

Lately I use the tunnelsup.com tools for ACL and object cleanup.

Static routes are hard to identify as actively used or not as they depend on whether or not there is traffic presented in the data plane that ever needs them. I suppose one could go to the next hop and see if the downstream network is still reachable.

hi marvin,

johnlloyd_13 — Thu, 13 Jul 2017 09:02:35 GMT

hi marvin,

i tried to use tunnelsup.com cleanup tool but only shows me 'no items found to cleanup.'

anything i miss?

Results

! No items found to cleanup.
! Analyzed 221 lines of code.

It gives that result when the

Marvin Rhoads — Thu, 13 Jul 2017 09:11:38 GMT

It gives that result when the config is already clean (no unused objects or ACLs).

You can put a dummy object into the pasted config if you want to verify the tool catches it.

yes, you're right. i pasted a

johnlloyd_13 — Fri, 14 Jul 2017 01:30:56 GMT

yes, you're right. i pasted a 'clean' config.

i tried to put a dummy config and gave me this result.

looks like this might be a handy tool.

Results

! Unused object found; suggest removing it
no object network INSIDE-SUBNET
! Analyzed 2 lines of code.

hi marvin,

johnlloyd_13 — Wed, 19 Jul 2017 03:33:24 GMT

hi marvin,

could you advise how to determine if NAT are unused? they should NOT appear show xlate right?

i could see some NAT translation but idle time is VERY LONG.

flags sIT idle 414:12:19 timeout 0:00:00

i also checked static NAT displayed on show xlate but didn't appear in show conn or show local-host output. which output should i refer or follow in order to remove static NAT config?

Unused NAT can be very

Marvin Rhoads — Wed, 19 Jul 2017 04:08:49 GMT

Unused NAT can be very challenging as it requires more of a business/technical discussion with the customer vs. straight analysis of the configuration.

For instance, consider a VM that is only powered on during certain conditions but when it is up it requires a static NAT. You will not see any output for it from the show commands you mentioned unless it is active. So one might think it is OK to remove. But if next week it is powered up, the firewall will cause the business process to break.

You might get some clues from internal DNS if the host address is unknown and currently not reachable. Also, internal routing or site-site VPN crypto map definitions may highlight NAT rules that point to non-existent subnets or no longer active locations.

it's challenging indeed!

johnlloyd_13 — Wed, 19 Jul 2017 04:40:23 GMT

it's challenging indeed!

i'll just run through it and consult with customer/stakeholders if they still need the NAT line.