topic nat command removed after acl statement entered in Network Security

nat command removed after acl statement entered

Steve Coady — Tue, 12 Mar 2019 07:01:41 GMT

Hello

I was implementing an acl statement as follows: access-list NAT_EXEMPTION extended permit tcp host 10.x.x.x object-group NameSRC eq ####

and error came back immediately whic showed that:

ASA(config)# nat (inside) 0 access-list NAT_EXEMPTION
ERROR: access-list has protocol or port

The command, nat (inside) 0 access-list NAT_EXEMPTION, was then auto removed from the config.

The access-list statements for the NAT_EXEMPTION were untouched.

I put the rule back in. At this same time the ASA seemed to be overloaded with processing

ASA# sh processes cpu-usage sorted
PC Thread 5Sec 1Min 5Min Process
081a86c4 1c5afa08 52.8% 54.4% 66.1% Dispatch Unit

How did this error impact processing on the ASA?

What version of IOS are you

Rolando Valenzuela — Thu, 10 Dec 2015 20:56:58 GMT

What version of IOS are you running, the nonat changed if you are above 8.3

check this URL:

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html

Rolando Valenzuela

we are on 825

Steve Coady — Thu, 10 Dec 2015 20:59:32 GMT

we are on 825

Hello

Steve Coady — Mon, 14 Dec 2015 17:21:59 GMT

Hello

Can anyone advise on any possible adverse issue that would have been caused by this.

Hi Steve,

yfournad — Thu, 17 Dec 2015 10:15:01 GMT

Hi Steve,

NAT exemption does not take any ports into consideration. That's why you should not include protocols and ports into the ACL.

"Do not specify the real and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption considers the inactive and time-range keywords, but it does not support ACL with all inactive and time-range ACEs."

More details you could see below:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html

Regarding the CPU load you mentioned about - I do not think it is because of the NAT rule.

Dispatch Unit process in most of the cases is directly connected to the traffic processing (packet forwarding) tasks.

So, when you have a similar situation you could check "sh traffic" in order to see the amount of the traffic being forwarded at this moment and to corelate it to the forwarding capacity of the device.

Best regards!

Hi Steve,

Akshay Rastogi — Thu, 17 Dec 2015 15:15:43 GMT

Hi Steve,

There is a defect related to this nat exempt addressing this issue:

https://tools.cisco.com/bugsearch/bug/CSCub53800/?reffering_site=dumpcr

Dispatch unit is related to traversing traffic. Adding access-list would have increase 'tmatch' process. Also if you notice, 5 minute average is 66.1%. That means, it might be having this much process from some time ago.

As mentioned by yfournad, 'show traffic' would give you the details on how much traffic received and transmitted through asa during different intervals.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

There is a defect related to

Akshay Rastogi — Thu, 17 Dec 2015 15:16:52 GMT

There is a defect related to this nat exempt addressing this issue:

https://tools.cisco.com/bugsearch/bug/CSCub53800/?reffering_site=dumpcr

As mentioned, 'show traffic' would give you the details on how much traffic received and transmitted through asa during different intervals.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.