topic Re: Invalid input detected at marker when issuing NAT command in Network Security

Invalid input detected at marker when issuing NAT command

bcsconsulting — Fri, 21 Feb 2020 15:17:26 GMT

So whether i try to issue a NAT command in the CLI, or even using the startup wizard to setup PAT, i get an error every time. Then i try to just create new NAT entries and have the same problem. If i leave source and destination as any, the command works, unfortunately (of course), that does not allow any traffic to pass through. this is preplexing to me as I have a ton of these in production and i have always set them up the same. I thought it was the BVI1, but I took that out and tried just using the inside_1 interface, still no joy.

It does seem to have something to do with the bridge though as that seems to be the only difference from other ASAs I have. But why out of the box would Cisco send me something that can't be programmed, even using the startup wizard? Let alone getting into the more intricate commands?

I will say I can make the firewall work for normal traffic, but cannot create NAT entries to setup public servers, so I am stuck. Any help appreciated.

Re: Invalid input detected at marker when issuing NAT command

Francesco Molino — Mon, 05 Feb 2018 04:10:09 GMT

Hi

Can you share the output of "show nameif"?

It looks like the nat statement doesn't like your inside interface.

Re: Invalid input detected at marker when issuing NAT command

Karsten Iwen — Mon, 05 Feb 2018 09:16:44 GMT

All your NAT statements (and also commands like ssh and http) have to reference the individual interfaces and not the name on the BVI. I have no idea why it's implemented that way, but we have to deal with it.

Re: Invalid input detected at marker when issuing NAT command

Francesco Molino — Mon, 05 Feb 2018 13:04:19 GMT

Karsten is right. I didn't pay attention that you're using BVI.
You're not able to do nat on BVI interfaces.

Re: Invalid input detected at marker when issuing NAT command

bcsconsulting — Mon, 05 Feb 2018 15:43:04 GMT

Hello,

Yes, here is the output:

Result of the command: "show nameif"

Interface Name Security
GigabitEthernet1/1 outside 0
GigabitEthernet1/2 inside_1 100
GigabitEthernet1/3 inside_2 100
GigabitEthernet1/4 inside_3 100
GigabitEthernet1/5 inside_4 100
GigabitEthernet1/6 inside_5 100
GigabitEthernet1/7 inside_6 100
GigabitEthernet1/8 inside_7 100
BVI1 inside 100

Re: Invalid input detected at marker when issuing NAT command

Francesco Molino — Mon, 05 Feb 2018 15:46:00 GMT

This confirms that you're using BVI and nat isn't supported on BVI

Re: Invalid input detected at marker when issuing NAT command

bcsconsulting — Mon, 05 Feb 2018 15:50:27 GMT

OK, I had removed interface GigabitEthernet1/2 from the bridge, but did not delete the bridge entirely. is that the issue then?

Thanks!

Re: Invalid input detected at marker when issuing NAT command

Francesco Molino — Mon, 05 Feb 2018 16:31:28 GMT

While in transparent, the idea is to do nat (inside, outside) but need to use the real name you put on the interface.
Don't forget to add the correct routes to allow ASA to reach the destination if not in same subnet.
Here some references:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/firewall/asa-97-firewall-config/nat-reference.html#ID-2091-0000034e
https://www.ndtrainings.com/2016/11/07/transparent-asa-nat-deep-dive/

Re: Invalid input detected at marker when issuing NAT command

Karsten Iwen — Mon, 05 Feb 2018 17:01:39 GMT

I don't think he is in transparent mode. It's very likely just routed with BVIs.

Re: Invalid input detected at marker when issuing NAT command

Francesco Molino — Mon, 05 Feb 2018 17:06:42 GMT

Ok, let's ask!

Are you routed or transparent?

Re: Invalid input detected at marker when issuing NAT command

bcsconsulting — Mon, 05 Feb 2018 19:27:22 GMT

I was assuming i was using it in transparent mode by using the bridge group.

I have completely deleted the group now and changed the nameif to inside on gigabitethernet1/2

However i don't see why it would not work using the bridge group since that is essentially the same as the older ASAs using Vlan1 and bridging all the ports.

maybe i put the bridge back, but remove all of the nameif commands on the physical interfaces. As long as i can assign different static ip addresses and setup NAT entries, i don't really care, but it makes no sense to kill the other 6 ports for no reason

Re: Invalid input detected at marker when issuing NAT command

Karsten Iwen — Mon, 05 Feb 2018 19:41:26 GMT

Using bridge-groups doesn‘t mean you are running transparent firewall mode. And no, the VLAN-Concept is completely different to bridge-groups. That‘s the reason that the configuration is different.

Re: Invalid input detected at marker when issuing NAT command

Francesco Molino — Mon, 05 Feb 2018 20:43:37 GMT

Karsten is right. Using bvi didn't mean you're in transparent mode. My bad I didn't asked it before.
You can use other ports for other zone or you can also make a port-channel if needed

Re: Invalid input detected at marker when issuing NAT command

bcsconsulting — Wed, 07 Feb 2018 21:32:27 GMT

I ended up getting rid of the BVI and naming the 1/2 interface "inside". It is the only inside interface i am using.

I then removed the nameif commands on all of the other inside interfaces.

This was the easiest solution for me since it allowed nat commands to be issued in the manner i am more used to.

Thanks Franceso and Karsten for helping to point me in the right direction

Re: Invalid input detected at marker when issuing NAT command

Francesco Molino — Thu, 08 Feb 2018 00:09:39 GMT

you're welcome