Unexpected Cisco ASA Feint
This morning I unexpectedly discovered something new, but not very pleasant.
For some, this may be obvious, but for some reason I have not come across before. So, perhaps, this short post will warn someone against similar problems in the future.
There is such a topology (well, of course, it is not at all like this, but it reflects the essence):
')
There is an ASA, in particular, an ASA 5520 with software 8.4 (4), which has many interfaces and subinterfaces.
In the DMZ, there is a certain web server that listens to requests on port 8443 and is accessible, thanks to the NAT rule (see the figure) from all other ASA interfaces through port 443.
Once,last night , it turned out that the interface inside2 (in fact, this is a 802.1q subinterface), we no longer need it and can remove it.
This was successfully done (no interface inside2). It would seem - well, one of the interfaces was deleted, and so what?
This morning, it was suddenly discovered that the web server has become unavailable to the outside world.
After a short troubleshooting and inspection of logs, it turned out that the translation rule for the web server in the DMZ was somehow self-destructive.
As a result of the attempts to realize, by comprehending how the removal of the interface is connected with the evaporation of the NAT rule, I came to the conclusion that
the any keyword in the translation rule itself.
Those. ASA saw that someone was going to deprive her of one of the interfaces. Realizing this, she began to look for what NAT rules use this interface. She did not find any such rule, but found a rule in which any was specified as the destination interface. Well, since any includes all interfaces, it simply deleted the entire rule.
The conclusion is: if you have translation rules in your config (in my case it was Auto Nat, but something seems to me that Manual Nat will give the same result), indicating as one of the interfaces participating in the broadcast, the key the word any, then after removing any of the interfaces, all such rules will disappear successfully.
Again, probably somewhere written about it (I have not met), but for me it was a surprise.
For some, this may be obvious, but for some reason I have not come across before. So, perhaps, this short post will warn someone against similar problems in the future.
There is such a topology (well, of course, it is not at all like this, but it reflects the essence):
')
There is an ASA, in particular, an ASA 5520 with software 8.4 (4), which has many interfaces and subinterfaces.
In the DMZ, there is a certain web server that listens to requests on port 8443 and is accessible, thanks to the NAT rule (see the figure) from all other ASA interfaces through port 443.
Once,
This was successfully done (no interface inside2). It would seem - well, one of the interfaces was deleted, and so what?
This morning, it was suddenly discovered that the web server has become unavailable to the outside world.
After a short troubleshooting and inspection of logs, it turned out that the translation rule for the web server in the DMZ was somehow self-destructive.
As a result of the attempts to realize, by comprehending how the removal of the interface is connected with the evaporation of the NAT rule, I came to the conclusion that
the any keyword in the translation rule itself.
Those. ASA saw that someone was going to deprive her of one of the interfaces. Realizing this, she began to look for what NAT rules use this interface. She did not find any such rule, but found a rule in which any was specified as the destination interface. Well, since any includes all interfaces, it simply deleted the entire rule.
The conclusion is: if you have translation rules in your config (in my case it was Auto Nat, but something seems to me that Manual Nat will give the same result), indicating as one of the interfaces participating in the broadcast, the key the word any, then after removing any of the interfaces, all such rules will disappear successfully.
Again, probably somewhere written about it (I have not met), but for me it was a surprise.
Source: https://habr.com/ru/post/192616/
All Articles