Created
February 12, 2017 17:36
-
-
Save jonnystorm/a0596e46ae65ba097e4c4966eea45bf8 to your computer and use it in GitHub Desktop.
Ambiguous ASA Syntax
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ! Much of ASA syntax is ambiguous, over-determined, or just plain confused. | |
| ! Below is one such example. | |
| ! | |
| ! Name two interfaces using the real/mapped interface delimiter, ','. | |
| ! In general, ASA accepts a shocking variety of characters for names. | |
| ! Keywords are unreserved. | |
| ! Only naming conflicts occur with built-in objects. | |
| ! | |
| ASA(config)# int po1.22 | |
| ASA(config-subif)# vlan 22 | |
| ASA(config-subif)# nameif , | |
| INFO: Security level for ",," set to 0 by default. | |
| ASA(config)# int po1.23 | |
| ASA(config-subif)# vlan 23 | |
| ASA(config-subif)# nameif ,, | |
| INFO: Security level for ",," set to 0 by default. | |
| ! | |
| ! ASA recognizes the new nameifs. | |
| ! | |
| ASA(config)# nat (? | |
| configure mode commands/options: | |
| Current available interface(s): | |
| , Name of interface Port-channel1.22 | |
| ,, Name of interface Port-channel1.23 | |
| inside Name of interface GigabitEthernet0/1 | |
| management Name of interface Management0/0 | |
| outside Name of interface GigabitEthernet0/0 | |
| ! | |
| ! ASA resolves the ambiguity, but how? | |
| ! | |
| ASA(config)# nat (,,,,) ? | |
| configure mode commands/options: | |
| <1-2147483647> Position of NAT rule within before auto section | |
| after-auto Insert NAT rule after auto section | |
| source Source NAT parameters | |
| ! | |
| ! Let's find out. | |
| ! | |
| ASA(config)# nat (,,,,) after-auto source static any any | |
| WARNING: This rule will match all incoming traffic on interface ',,'. | |
| Use 'unidirectional' option to apply the rule for outgoing traffic only. | |
| ! | |
| ! Survey says... lexical sort! This is effectively shortest match first. | |
| ! | |
| ASA(config)# sho nat det | beg ,, | |
| 1 (,) to (,,) source static any any | |
| translate_hits = 0, untranslate_hits = 0 | |
| Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0 | |
| ! | |
| ! But does ASA internally refer to the nameif or a unique handle? | |
| ! As it turns out, ASA uses a handle. | |
| ! | |
| ASA(config)# int po1.22 | |
| ASA(config-subif)# nameif ,,, | |
| ASA(config-subif)# sho nat det | beg ,, | |
| 1 (,,,) to (,,) source static any any | |
| translate_hits = 0, untranslate_hits = 0 | |
| Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0 | |
| ! | |
| ! But ASA seems to have trouble with the new nameif. | |
| ! | |
| ASA(config)# nat (,,,,,,) ? | |
| configure mode commands/options: | |
| <0-2147483647> The <nat_id> of this group of hosts/networks. This <nat_id> | |
| will be referenced by the global command to associate a | |
| global pool with the local IP address. <nat_id> '0' is used | |
| to indicate no address translation for local IP. The limit is | |
| 65535 with access-lists | |
| ! | |
| ! ASA now demands addresses. Was it something I said? | |
| ! | |
| ASA(config)# nat (,,,,,,) 88 ? | |
| configure mode commands/options: | |
| Hostname or A.B.C.D The hosts/networks in this <nat_id> group, '0' indicates | |
| all networks or the default <nat_id> group | |
| access-list Specify access-list name after this keyword | |
| ! | |
| ! The command looks right... | |
| ! | |
| ASA(config)# sho run | incl ,,, | |
| nameif ,,, | |
| mtu ,,, 1500 | |
| nat (,,,,,,) after-auto source static any any | |
| ! | |
| ! Let's blow it away. | |
| ! | |
| ASA(config)# no nat (,,,,,,) ? | |
| configure mode commands/options: | |
| <0-2147483647> The <nat_id> of this group of hosts/networks. This <nat_id> | |
| will be referenced by the global command to associate a | |
| global pool with the local IP address. <nat_id> '0' is used | |
| to indicate no address translation for local IP. The limit is | |
| 65535 with access-lists | |
| ! | |
| ! Huh. Or not. | |
| ! Try changing the nameif back. | |
| ! | |
| ASA(config)# int po1.22 | |
| ASA(config-subif)# nameif , | |
| ASA(config-subif)# exit | |
| ASA(config)# no nat (,,,,) after-auto source static any any | |
| ! | |
| ! That worked. If we start fresh, is it any better? | |
| ! | |
| ASA(config)# int po1.22 | |
| ASA(config-subif)# nameif ,,, | |
| ASA(config-subif)# exit | |
| ASA(config)# nat (,,,,,,) ? | |
| configure mode commands/options: | |
| <0-2147483647> The <nat_id> of this group of hosts/networks. This <nat_id> | |
| will be referenced by the global command to associate a | |
| global pool with the local IP address. <nat_id> '0' is used | |
| to indicate no address translation for local IP. The limit is | |
| 65535 with access-lists | |
| ! | |
| ! Nope: you have exceeded your comma allotment. | |
| ! Thanks for playing. | |
| ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment