Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1280
Views
0
Helpful
2
Replies

asa 8.3 object network two different places in config

Go to solution
maltuna
Level 1
Level 1

‎02-02-2011 03:15 PM - edited ‎03-11-2019 12:43 PM

Ok, so I've spent a a few months now with 8.3...(and just upgrade one box to 8.41 and it's still this way) and for what I do and the devices I configure, I don't really notice much difference.  So maybe that's why I'm struggling with this sooooo much.

Why, oh why, do you do this to configure an auto nat:

asa(config)# object network server10

asa(config-network-object)#host 10.10.10.10

asa(config-network-object)#nat (outside,inside) static 1.1.1.1 dns

asa(config)# object network server11

asa(config-network-object)#host 10.10.10.11

asa(config-network-object)#nat (outside,inside) static 1.1.1.2 dns

And yet, when you do a "show object" you get:

asa(config-network-object)# show run object

object network server10

host 10.10.10.10

object network server11

host 10.10.10.11

Where is the rest of the info????  Where is the "nat (outside,inside) static 1.1.1.1 dns"  that I entered under the exact same sub-config mode?

Oh, to get that, you have to type something different:

asa(config-network-object)# show run nat

nat (inside,outside) source static net-inside net-inside destination static net-10 net-10

!

object network server10

nat (inside,outside) static 1.1.1.1

object network server11

nat (inside,outside) static 1.1.1.2

???

And it's even worse in "show run"...

network object server10

(half your info here)

(other object-group types used in access-lists)

(access-list stuff)

(pager lines)

(logging commands)

(mtu stuff)

(ip local pools)

(failover commands)

(icmp commands)

(asdm stuff)

(arp commands)

(nat commands shown in "part 2")

network object server10

(other half of your info here)

I guess I must be missing some functionality or something... but I don't understand why you would configure the same exact subconfig object name, but have it show up (with still the exact same subconfig object name) in two different places in the config, and require two different show command to see both "havles" of the information?

One of the reasons I love command line is it's so much faster and so much less convoluted than a gui... but things like this take it closer to the frustration level of a gui.  Why can't I just do this?

asa(config-network-object)# sh ru o n

object network server10

host 10.10.10.10

nat (inside,outside) static 1.1.1.1

object network server11

host 10.10.10.11

nat (inside,outside) static 1.1.1.2

Because when I'm in a strange new ASA trying to see what's static NAT'd to what, this would be so much easier/simpler than having to type two commands and worse, trying to look in two places that are not consecutive for information about a given object, especially when you have large numbers of objects. 

If there is an actual good reason why they had to break this up (there probably is, I hope), I'd love to hear it so I can stop being so frustrated with this change.  Or better yet, is there a show command that will give me the output I want (everything from the "two halves" in one place, mixed together properly by object name)?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-03-2011 05:35 AM

I agree with you.

This is the explanation I find on Cisco:

You cannot view the NAT configuration using the show running-config object command. You cannot reference objects or object groups that have not yet been created in nat commands. To avoid forward or circular references in show command output, the show running-config command shows the object command two times: first, where the IP address(es) are defined; and later, where the nat command is defined. This command output guarantees that objects are defined first, then object groups, and finally NAT.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

I agree there should be a better way to do this without having duplicated output and if I'm not mistaken there's a request cisco is working on to fix this (but I was hoping it was on 8.4 and that's not fixed yet).

Federico.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-03-2011 05:35 AM

I agree with you.

This is the explanation I find on Cisco:

You cannot view the NAT configuration using the show running-config object command. You cannot reference objects or object groups that have not yet been created in nat commands. To avoid forward or circular references in show command output, the show running-config command shows the object command two times: first, where the IP address(es) are defined; and later, where the nat command is defined. This command output guarantees that objects are defined first, then object groups, and finally NAT.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

I agree there should be a better way to do this without having duplicated output and if I'm not mistaken there's a request cisco is working on to fix this (but I was hoping it was on 8.4 and that's not fixed yet).

Federico.

0 Helpful

Go to solution
maltuna
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-03-2011 08:14 AM

Well, I guess that explains it... although it's still a pain to work with.  But at least now I know why.  I can't believe I didn't read that as I was reading about the NAT changes when it first came out.  Bleh.

Anyways, thanks for pointing me to the right place in the docs!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card