Solved: Invalid input detected at marker when issuing NAT command

bcsconsulting · ‎02-04-2018

So whether i try to issue a NAT command in the CLI, or even using the startup wizard to setup PAT, i get an error every time. Then i try to just create new NAT entries and have the same problem. If i leave source and destination as any, the command works, unfortunately (of course), that does not allow any traffic to pass through. this is preplexing to me as I have a ton of these in production and i have always set them up the same. I thought it was the BVI1, but I took that out and tried just using the inside_1 interface, still no joy.

It does seem to have something to do with the bridge though as that seems to be the only difference from other ASAs I have. But why out of the box would Cisco send me something that can't be programmed, even using the startup wizard? Let alone getting into the more intricate commands?

I will say I can make the firewall work for normal traffic, but cannot create NAT entries to setup public servers, so I am stuck. Any help appreciated.

Francesco Molino · ‎02-04-2018

Hi

Can you share the output of "show nameif"?

It looks like the nat statement doesn't like your inside interface.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Karsten Iwen · ‎02-05-2018

All your NAT statements (and also commands like ssh and http) have to reference the individual interfaces and not the name on the BVI. I have no idea why it's implemented that way, but we have to deal with it.

View solution in original post

Francesco Molino · ‎02-04-2018

Hi

Can you share the output of "show nameif"?

It looks like the nat statement doesn't like your inside interface.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bcsconsulting · ‎02-05-2018

Hello,

Yes, here is the output:

Result of the command: "show nameif"

Interface Name Security
GigabitEthernet1/1 outside 0
GigabitEthernet1/2 inside_1 100
GigabitEthernet1/3 inside_2 100
GigabitEthernet1/4 inside_3 100
GigabitEthernet1/5 inside_4 100
GigabitEthernet1/6 inside_5 100
GigabitEthernet1/7 inside_6 100
GigabitEthernet1/8 inside_7 100
BVI1 inside 100

Francesco Molino · ‎02-05-2018

This confirms that you're using BVI and nat isn't supported on BVI

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bcsconsulting · ‎02-05-2018

OK, I had removed interface GigabitEthernet1/2 from the bridge, but did not delete the bridge entirely. is that the issue then?

Thanks!

Francesco Molino · ‎02-05-2018

While in transparent, the idea is to do nat (inside, outside) but need to use the real name you put on the interface.
Don't forget to add the correct routes to allow ASA to reach the destination if not in same subnet.
Here some references:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/firewall/asa-97-firewall-config/nat-reference.html#ID-2091-0000034e
https://www.ndtrainings.com/2016/11/07/transparent-asa-nat-deep-dive/

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Karsten Iwen · ‎02-05-2018

I don't think he is in transparent mode. It's very likely just routed with BVIs.

Francesco Molino · ‎02-05-2018

Ok, let's ask!

Are you routed or transparent?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bcsconsulting · ‎02-05-2018

I was assuming i was using it in transparent mode by using the bridge group.

I have completely deleted the group now and changed the nameif to inside on gigabitethernet1/2

However i don't see why it would not work using the bridge group since that is essentially the same as the older ASAs using Vlan1 and bridging all the ports.

maybe i put the bridge back, but remove all of the nameif commands on the physical interfaces. As long as i can assign different static ip addresses and setup NAT entries, i don't really care, but it makes no sense to kill the other 6 ports for no reason

Karsten Iwen · ‎02-05-2018

Using bridge-groups doesn‘t mean you are running transparent firewall mode. And no, the VLAN-Concept is completely different to bridge-groups. That‘s the reason that the configuration is different.

Francesco Molino · ‎02-05-2018

Karsten is right. Using bvi didn't mean you're in transparent mode. My bad I didn't asked it before.
You can use other ports for other zone or you can also make a port-channel if needed

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Karsten Iwen · ‎02-05-2018

All your NAT statements (and also commands like ssh and http) have to reference the individual interfaces and not the name on the BVI. I have no idea why it's implemented that way, but we have to deal with it.

Francesco Molino · ‎02-05-2018

Karsten is right. I didn't pay attention that you're using BVI.
You're not able to do nat on BVI interfaces.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bcsconsulting · ‎02-07-2018

I ended up getting rid of the BVI and naming the 1/2 interface "inside". It is the only inside interface i am using.

I then removed the nameif commands on all of the other inside interfaces.

This was the easiest solution for me since it allowed nat commands to be issued in the manner i am more used to.

Thanks Franceso and Karsten for helping to point me in the right direction

Francesco Molino · ‎02-07-2018

you're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question