Re: Fishy ASA dynamic NAT behavior after IP address change

From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Thu Mar 26 2009 - 17:56:13 ART

• Next message: Pavel Bykov: "Re: QoS Shape Peak Interval"
• Previous message: Darby Weaver: "Re: OT:Dumps are already out for open-ended questions!!"
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Tony Schaffran \(GS\): "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

did u perform clear xlate command before restart.
somtime clear commands do the trick

ASA code is very buggy to be honest

2009/3/26 Uyota Oyearone <spycharlies@gmail.com>

> Not sure if this helps u. Sometimes ASA does not understand what is outside
> and inside when doing NAT, it ends up screwing my whole routing. The only
> way i have been able to solve this, was to create an exception rule.
>
>
> Uyota.
>
>
>
> On Tue, Mar 24, 2009 at 2:10 PM, Alexei Monastyrnyi <alexeim73@gmail.com
> >wrote:
>
> > Hi Group.
> >
> > Just wonder if someone has come across this.
> >
> > I was changing IP address on ASA 8.0(4) system which does selective
> dynamic
> > PAT like below, about 30 such N-pairs.
> > nat (inside) 0 access-list nonat
> > nat (inside) N access-list xyz
> > global (outside) N IP-address/pool
> >
> > After IP change on outside interface, dynamic part NAT engine stopped
> > working. And it was a lot of [Scanning] messages severity 4 in the log.
> Show
> > xlat showed only static PAT entries, all traffic which was supposed to
> get
> > NATted or go via nonat ACL was just black-holed.
> >
> > shut/no shut on outside interface didn't do. The only way I could fix it
> is
> > by ASA unit reload.
> >
> > I checked open caveats for 8.0(40 are open/relosved for higher interim
> > releases, no luck.
> >
> > Shall one expect restarting productin systems after IP address chenge?
> > Sounds na bit uts. :-)
> >
> > Hints are appreciated.
> >
> > Cheers,
> > A
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Muhammad Nasim
Network Engineer
Saudi Arabia
Blogs and organic groups at http://www.ccie.net

• Next message: Pavel Bykov: "Re: QoS Shape Peak Interval"
• Previous message: Darby Weaver: "Re: OT:Dumps are already out for open-ended questions!!"
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Tony Schaffran \(GS\): "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART