nat command removed after acl statement entered

Steve Coady · ‎12-10-2015

Hello

I was implementing an acl statement as follows: access-list NAT_EXEMPTION extended permit tcp host 10.x.x.x object-group NameSRC eq ####

and error came back immediately whic showed that:

ASA(config)# nat (inside) 0 access-list NAT_EXEMPTION
ERROR: access-list has protocol or port

The command, nat (inside) 0 access-list NAT_EXEMPTION, was then auto removed from the config.

The access-list statements for the NAT_EXEMPTION were untouched.

I put the rule back in. At this same time the ASA seemed to be overloaded with processing

ASA# sh processes cpu-usage sorted
PC Thread 5Sec 1Min 5Min Process
081a86c4 1c5afa08 52.8% 54.4% 66.1% Dispatch Unit

How did this error impact processing on the ASA?

sMc

Rolando Valenzuela · ‎12-10-2015

What version of IOS are you running, the nonat changed if you are above 8.3

check this URL:

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html

Rolando Valenzuela

Steve Coady · ‎12-10-2015

we are on 825

sMc

Steve Coady · ‎12-14-2015

Hello

Can anyone advise on any possible adverse issue that would have been caused by this.

sMc

Akshay Rastogi · ‎12-17-2015

There is a defect related to this nat exempt addressing this issue:

https://tools.cisco.com/bugsearch/bug/CSCub53800/?reffering_site=dumpcr

Dispatch unit is related to traversing traffic. Adding access-list would have increase 'tmatch' process. Also if you notice, 5 minute average is 66.1%. That means, it might be having this much process from some time ago.

As mentioned, 'show traffic' would give you the details on how much traffic received and transmitted through asa during different intervals.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

yfournad · ‎12-17-2015

Hi Steve,

NAT exemption does not take any ports into consideration. That's why you should not include protocols and ports into the ACL.

"Do not specify the real and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption considers the inactive and time-range keywords, but it does not support ACL with all inactive and time-range ACEs."

More details you could see below:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html

Regarding the CPU load you mentioned about - I do not think it is because of the NAT rule.

Dispatch Unit process in most of the cases is directly connected to the traffic processing (packet forwarding) tasks.

So, when you have a similar situation you could check "sh traffic" in order to see the amount of the traffic being forwarded at this moment and to corelate it to the forwarding capacity of the device.

Best regards!

Akshay Rastogi · ‎12-17-2015