From: Tony Schaffran \(GS\) (groupstudy@cconlinelabs.com)
Date: Thu Mar 26 2009 - 18:39:17 ART
I am not sure if I would use the word 'buggy' when it comes to ASA code.
Although, it could be a little better in the QA department, it is not half
as bad as Microsoft. I do not know of any software that does not have a bug
or two in it.
I have never had an ASA do anything other than what I programmed it to do
and everything I programmed it to do, it has executed. IPSEC, VPN, NAT,
OSPF & BGP routing, contexts and more. I have configured some off the wall
weird stuff on the ASA's and if there was an issue, there was usually a good
workaround for it.
Maybe the term 'buggy' is used too often when somebody does not understand
something fully. To many people, it is easier to blame the hardware or
software than it is take a closer look at their own skills.
I am not implying anything personal toward you, this is just a general
observation.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muhammad Nasim
Sent: Thursday, March 26, 2009 1:56 PM
To: Uyota Oyearone
Cc: Alexei Monastyrnyi; security@groupstudy.com; Cisco certification
Subject: Re: Fishy ASA dynamic NAT behavior after IP address change
did u perform clear xlate command before restart.
somtime clear commands do the trick
ASA code is very buggy to be honest
2009/3/26 Uyota Oyearone <spycharlies@gmail.com>
> Not sure if this helps u. Sometimes ASA does not understand what is
outside
> and inside when doing NAT, it ends up screwing my whole routing. The only
> way i have been able to solve this, was to create an exception rule.
>
>
> Uyota.
>
>
>
> On Tue, Mar 24, 2009 at 2:10 PM, Alexei Monastyrnyi <alexeim73@gmail.com
> >wrote:
>
> > Hi Group.
> >
> > Just wonder if someone has come across this.
> >
> > I was changing IP address on ASA 8.0(4) system which does selective
> dynamic
> > PAT like below, about 30 such N-pairs.
> > nat (inside) 0 access-list nonat
> > nat (inside) N access-list xyz
> > global (outside) N IP-address/pool
> >
> > After IP change on outside interface, dynamic part NAT engine stopped
> > working. And it was a lot of [Scanning] messages severity 4 in the log.
> Show
> > xlat showed only static PAT entries, all traffic which was supposed to
> get
> > NATted or go via nonat ACL was just black-holed.
> >
> > shut/no shut on outside interface didn't do. The only way I could fix it
> is
> > by ASA unit reload.
> >
> > I checked open caveats for 8.0(40 are open/relosved for higher interim
> > releases, no luck.
> >
> > Shall one expect restarting productin systems after IP address chenge?
> > Sounds na bit uts. :-)
> >
> > Hints are appreciated.
> >
> > Cheers,
> > A
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Muhammad Nasim Network Engineer Saudi ArabiaBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART