Fishy ASA dynamic NAT behavior after IP address change

From: Alexei Monastyrnyi (alexeim73@gmail.com)
Date: Tue Mar 24 2009 - 17:10:34 ART

• Next message: Larry Letterman (lletterm): "RE: OT:Dumps are already out for open-ended questions!!"
• Previous message: Narbik Kocharians: "Re: Cisco 360 program"
• Next in thread: Uyota Oyearone: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Uyota Oyearone: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Muhammad Nasim: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Tony Schaffran \(GS\): "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Tony Schaffran \(GS\): "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Scott M Vermillion: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Farrukh Haroon: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Farrukh Haroon: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Tyson Scott: "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Group.

Just wonder if someone has come across this.

I was changing IP address on ASA 8.0(4) system which does selective
dynamic PAT like below, about 30 such N-pairs.
nat (inside) 0 access-list nonat
nat (inside) N access-list xyz
global (outside) N IP-address/pool

After IP change on outside interface, dynamic part NAT engine stopped
working. And it was a lot of [Scanning] messages severity 4 in the log.
Show xlat showed only static PAT entries, all traffic which was supposed
to get NATted or go via nonat ACL was just black-holed.

shut/no shut on outside interface didn't do. The only way I could fix it
is by ASA unit reload.

I checked open caveats for 8.0(40 are open/relosved for higher interim
releases, no luck.

Shall one expect restarting productin systems after IP address chenge?
Sounds na bit uts. :-)

Hints are appreciated.

Cheers,
A

Blogs and organic groups at http://www.ccie.net

• Next message: Larry Letterman (lletterm): "RE: OT:Dumps are already out for open-ended questions!!"
• Previous message: Narbik Kocharians: "Re: Cisco 360 program"
• Next in thread: Uyota Oyearone: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Uyota Oyearone: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Muhammad Nasim: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Tony Schaffran \(GS\): "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Tony Schaffran \(GS\): "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Scott M Vermillion: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Farrukh Haroon: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Farrukh Haroon: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Tyson Scott: "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Maybe reply: Alexei Monastyrnyi: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART