cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2044
Views
0
Helpful
9
Replies
networklal
Beginner

ASDM 6.4(5) somehow deletes existing nat entries on ASA 8.4(4)1 model 5550

I recently did the following configuration changes on my ASA through ASDM. The changes were the following:

Added a new service policy to the ASA inside interface to do some traffic policing. Also put the global policy rules in the inside policy.

The bold part below is exactly how the global policy looks.

New Configuration:

     access-list inside_mpc line 1 extended permit ip object Guest.Wireless any

      access-list inside_mpc line 2 extended permit ip object any Guest.Wireless  

      class-map inside-class

        match access-list inside_mpc

      class-map inside-inspection-default

        match default-inspection-traffic

      policy-map inside-policy

        class inside-class

          police input 3145500 1500 conform-action transmit exceed-action drop

          police output 3145500 1500 conform-action transmit exceed-action drop

       class inside-inspection-default

          inspect dns preset_dns_map

          inspect ftp

          inspect h323 h225

          inspect h323 ras

          inspect icmp

          inspect ip-options

          inspect netbios

          inspect rsh

          inspect rtsp

          inspect sip

          inspect skinny

          inspect sqlnet

          inspect sunrpc

          inspect tftp

          inspect xdmcp

        class DCE-RPC-CM

          inspect dcerpc DCE-RPC-MAP

      service-policy inside-policy interface inside

After this was done strangely all the major services hosted on the Internet were down. When checked we found that random(and unluckily the major ones) nat entries were missign from the configuration.

We did a restore of the ASA running configuration backup taken before the above change was done. Strangely again the nat entries were ommited.

But when I checked the backup file myself all the nat entries were present.

Strange..... Then I had to manually restore all the nat rules via CLI.

Help much appreciated.

Regards

9 REPLIES 9
networklal
Beginner

In the above  I would like to add that the restore too was done using ASDM.

Hello,

So some of the NAT statements for that interface disappear but not all of the nat related to the inside interface?? Can you remember that??

The configuration you add it definetly does not affect the NAT setup on an ASA so it is pretty interesting this ticket..

By any chance you have accounting enabled on your ASA or some logs at the time of the changes?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Jcarvaja,

Thanks for your interest.

Actually most of the nat statements removed included general nat statements, nat object rule both static and dynamic having nothing to do with the inside interface at all. lines removed were independent of the inside interface.

Again as i said lines removed were random.

Apart from Nat a few other statements removed

anyconnect image disk0:/anyconnect-linux-3.1.01065-k9.pkg 1

anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 3

Unfortunately accounting not enabled. Logs during that period only include the general traffic logs with some denys due to missing nat statements.

Regards,

Hi,

Have you enabled the "Preview commands before sending them to the device" option on the ASDM Preferences? If not, I suggest using this feature.

It shows all the commands ASDM is about to send to the actual device so you can still cancel it and possibly avoid a problem if you have mistakenly configured something that the ASDM doesnt clearly indicate.

In this case it would also be possible to use this method to do all the changes leading to the removal of configurations and see what the ASDM is actually going to send to the device. You should see if the ASDM is about to remove some configurations. But to be honest this seems like some other problem.

Again, the path to set the command preview is

  • Tools
  • Preferences
  • Enable the checkbox of "Preview commands before sending them to the device"

- Jouni

Hi Jouniforss,

Thanks for the reply. I already have this feature enabled. That is how I posted the commands sent by ASDM in my 1st post.

      access-list inside_mpc line 1 extended permit ip object Guest.Wireless any

      access-list inside_mpc line 2 extended permit ip object any Guest.Wireless  

      class-map inside-class

        match access-list inside_mpc

      class-map inside-inspection-default

        match default-inspection-traffic

      policy-map inside-policy

        class inside-class

          police input 3145500 1500 conform-action transmit exceed-action drop

          police output 3145500 1500 conform-action transmit exceed-action drop

       class inside-inspection-default

          inspect dns preset_dns_map

          inspect ftp

          inspect h323 h225

          inspect h323 ras

          inspect icmp

          inspect ip-options

          inspect netbios

          inspect rsh

          inspect rtsp

          inspect sip

          inspect skinny

          inspect sqlnet

          inspect sunrpc

          inspect tftp

          inspect xdmcp

        class DCE-RPC-CM

          inspect dcerpc DCE-RPC-MAP

      service-policy inside-policy interface inside

Regards

Found the following from cisco website http://www.cisco.com/en/US/products/ps6121/products_tech_note09186a0080aaeff5.shtml#prblm14

Problem: ASA network objects get deleted when using ASDM version 6.4.5

While editing an existing network object using ASDM version 6.4.5, the object disappears from the list of all objects when you click OK.

Solution

Downgrade to ASDM version 6.2.4 in order to resolve this issue.

We are also having ASDM version 6.4.5.

The issue mentioned here is not exactly what happened in our case, but  could be an extension of the issue I faced.

_______________________________________________________________           

For the part of restoring running-config via ASDM I found an open bug in cisco:

CSCud09203 - ASDM running-config restore not working with REPLACE option

However the missing commands issue was there even before replacing the running-config via ASDM.

Any help highly appreciated

Ah ok,

Then according to the ASDM itself no commands were sent to the device that would remove some configurations.

Getting even more strange then

Is the software you are using some software that you have installed to fix some other bug? Or is that type of marking of version normal? I mean the "1" at the end of "8.4(4)1"

To my understanding the numbers are

  • Major.Minor(Maintanance)

But I have no idea what the last number is. I once had to upgrade to 8.4(1)9 on an ASA 5585-X because of a Active FTP bug. Could there be some other bug in play here?

Sadly this is just speculation from my part.

- Jouni

Hi Jouni,

Thanks for the reply. I am really not sure about the significance of the last digit. But we upgraded the ASA some time back from 8.4.(3)8 to 8.4(4)1 to mitigate some security vulnerabilites released by cisco at that time.

Regards

Hello,

If you are thinking about changing the code, try to go to the latest one for the ASDM  7.1

Again the configuration you entered is not related to any nat or object configuration so looks like something else was done to cause this,

Perform the upgrade, monitor it and let us know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Create
Recognize Your Peers
Content for Community-Ad