From: Alexei Monastyrnyi (alexeim73@gmail.com)
Date: Sat Mar 28 2009 - 18:44:42 ART
Tony,
I don't think I am prepared to post my production configs. :-) No
offence, mate.
As you said, ASA is quite a straightforward animal when it obeys, and so
is my config; a bunch of L2L IPSec tunnels with source-destination based
dynamic NAT translation like this:
nat (inside) N access-list xyz
global (outside) N IP-address
All 30 such tunnels/translations, which I had on that unit, stopped
working with IP address change on outside interface. I am fully aware
that one shall expect a downtime with such change. I just was not ready
to restart the box right away. So it took me some time to figure out
dynamic NAT went nuts. Too bad I extended my IOS-like expectations too
far. :-)
I would be merely interested to hear if someone had such an issue
before. I'd say it is more theoretical question than an attempt to find
problems with my config. Unfortunately I don't have a spare ASA unit to
lab it up.
Cheers,
A.
#17234 (R/S)
Tony Schaffran (GS) wrote:
> Without seeing your actual config, all we can do is speculate what may have
> caused your issue with changing the IP address on the outside interface.
>
>
> Tony Schaffran
> Sr. Network Consultant
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Alexei Monastyrnyi
> Sent: Tuesday, March 24, 2009 1:11 PM
> To: security@groupstudy.com
> Cc: Cisco certification
> Subject: Fishy ASA dynamic NAT behavior after IP address change
>
> Hi Group.
>
> Just wonder if someone has come across this.
>
> I was changing IP address on ASA 8.0(4) system which does selective
> dynamic PAT like below, about 30 such N-pairs.
> nat (inside) 0 access-list nonat
> nat (inside) N access-list xyz
> global (outside) N IP-address/pool
>
> After IP change on outside interface, dynamic part NAT engine stopped
> working. And it was a lot of [Scanning] messages severity 4 in the log.
> Show xlat showed only static PAT entries, all traffic which was supposed
> to get NATted or go via nonat ACL was just black-holed.
>
> shut/no shut on outside interface didn't do. The only way I could fix it
> is by ASA unit reload.
>
> I checked open caveats for 8.0(40 are open/relosved for higher interim
> releases, no luck.
>
> Shall one expect restarting productin systems after IP address chenge?
> Sounds na bit uts. :-)
>
> Hints are appreciated.
>
> Cheers,
> A
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART