04-13-2012 02:21 PM - edited 03-11-2019 03:53 PM
Unusual problem with as ASA5540 running 8.4(3). There are several NAT statements defined. Some of them are of the format:
"nat (<interface>,any) source static <network-or-group1> <network-or-group1> destination static <network-or-group2> <network-or-group2>"
and
"nat (<interface>,any) source static <network-or-group1> <network-or-group1>"
Nat exemptions, basically. A few days ago we moved the failover interface from management0/0 to one of the then-unused gigabitethernet ports. The change went fine, but afterwards all the nat statements of the above format (i.e. with the destination interface set to "any") had disappeared from the configuration. all other NAT statements remained intact. No other problems were in evidence.
The source interfaces of the affected nat statements varied.
Neither of the interfaces involved in the failover interface change had NAT statements applied to them at the time the changes were made.
Why would changing the failover interface selectively cause nats with destination interface set to "any" to disappear?
-Mathew Rouch
04-13-2012 03:11 PM
Hello Mathew,
Let me start saying the "ANY" keyword on a nat statement is the worst command you can put on a NAT, I know that when you do the upgrade this will hapen automatically almost all of the time, but you should change it as soon as you have it on the right version. This because you will experience a lot of ARP issues as the Nat will take place on ANY interface and that is not the purpose of NAT.
Now why this changed after you changed the failover interface, hmmm I would say this happend due to the fact that the any keyword was being used by all the interfaces ( except the managment) now after you change the failover interface the ASA will recognize the gigabit ethernet as the failover interface and will know that the interface will not be used for any nat so the " ANY' went away and as there is no " any except gigabit x/x( failover one) the command dissapeard.
Remember if you have any "any" keyword on a nat, please remove it before it is too late.
Regards,
Do rate all the helpful posts
Julio
04-16-2012 08:22 AM
okay, so presumably to remove the "any" we'd need a nat statement for each destination interface, so the equivalent statements to
"nat (
would be
"nat (
"nat (
... etc. Correct?
-Mat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: