Giters

batfish / batfish

Batfish is a network configuration analysis tool that can find bugs and guarantee the correctness of (planned or current) network configurations. It enables network engineers to rapidly and safely evolve their network, without fear of outages or security breaches.

Home Page:http://www.batfish.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

In a configuration that includes an ASA, running Bi-direction reachability for an IP address that goes through the SNAT-configured ASA returns empty data.

tokonish opened this issue · comments

commented

[Problem]

In a configuration that includes an ASA, running Bi-direction reachability for an IP address that goes through the SNAT-configured ASA returns empty data.

[Topology]
コミュニティ報告用

dev3's NAT settings convert 10.0.12.1 to 20.0.12.1.

[Config] ※Minimum Config

dev1

hostname dev1
!
no ip domain lookup
!
interface GigabitEthernet0/1
 ip address 10.0.12.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.12.2
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

dev2

hostname dev2
!
no ip domain lookup
!
interface GigabitEthernet0/0
 ip address 10.0.12.2 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.23.2 255.255.255.0
 no shutdown
!
ip route 10.0.45.0 255.255.255.0 10.0.23.3
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

dev3

ASA Version 9.2(3)
hostname dev3
enable password admin
!
interface GigabitEthernet0/0
 no shutdown
 nameif inside
 security-level 100
 ip address 10.0.23.3 255.255.255.0
!
interface GigabitEthernet0/1
 no shutdown
 nameif outside
 security-level 0
 ip address 10.0.34.3 255.255.255.0
!
access-list all_permit extended permit ip any any
no pager
access-group all_permit in interface outside
!
route inside 10.0.12.0 255.255.255.0 10.0.23.2
route outside 10.0.45.0 255.255.255.0 10.0.34.4
!
object network host-DEV1
 host 10.0.12.1
object network host-DEV1_NAT
 host 20.0.12.1
object network host-DEV5
 host 10.0.45.5
nat (inside,outside) source static host-DEV1 host-DEV1_NAT destination static host-DEV5 host-DEV5
!
console timeout 0
!
end

dev4

hostname dev4
!
no ip domain lookup
!
interface GigabitEthernet0/0
 ip address 10.0.34.4 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.45.4 255.255.255.0
 no shutdown
!
ip route 20.0.12.0 255.255.255.0 10.0.34.3
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

dev5

hostname dev5
!
no ip domain lookup
!
interface GigabitEthernet0/0
 ip address 10.0.45.5 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.45.4
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

[Result]
CML Ping dev1->dev5

dev1#ping 10.0.45.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms

Batfish Bi-directional Reachability(dev1->dev5) Forward

Traceback (most recent call last):
  File "/home/testuser/questions.py", line 378, in <module>
    main(args)
  File "/home/testuser/questions.py", line 32, in main
    args.handler(args)
  File "/home/testuser/questions.py", line 285, in command_bireachability
    for result in bireachability.Forward_Traces[0]:
  File "/usr/local/lib/python3.10/dist-packages/pandas/core/series.py", line 879, in __getitem__
    return self._values[key]
IndexError: index 0 is out of bounds for axis 0 with size 0

This shows that no data is being returned.

commented

Cc: @anothermattbrown

Can you attach server-side logs (docker logs) to this issue?

commented

Looking at the forward trace, I see:

ACCEPTED
1. node: dev1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.12.2, Routes: [static (Network: 0.0.0.0/0, Next Hop: ip 10.0.12.2)])
  TRANSMITTED(GigabitEthernet0/1)
2. node: dev2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.23.3, Routes: [static (Network: 10.0.45.0/24, Next Hop: ip 10.0.23.3)])
  TRANSMITTED(GigabitEthernet0/1)
3. node: dev3
  RECEIVED(inside)
  FORWARDED(Forwarded out interface: outside with resolved next-hop IP: 10.0.34.4, Routes: [static (Network: 10.0.45.0/24, Next Hop: interface outside ip 10.0.34.4)])
  PERMITTED(~COMBINED_OUTGOING_ACL~outside~ (PRE_TRANSFORMATION_EGRESS_FILTER))
  SETUP_SESSION(Incoming Interfaces: [outside], Action: PostNatFibLookup, Match Criteria: [ipProtocol=UDP, srcIp=10.0.45.5, dstIp=10.0.12.1, srcPort=33434, dstPort=49152])
  TRANSMITTED(outside)
4. node: dev4
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet0/1, Routes: [connected (Network: 10.0.45.0/24, Next Hop: interface GigabitEthernet0/1)])
  TRANSMITTED(GigabitEthernet0/1)
5. node: dev5
  RECEIVED(GigabitEthernet0/0)
  ACCEPTED(GigabitEthernet0/0)

That says to me that NAT didn't happen in the forward direction.

The first thing I do on every new network is run the bf.q.parseWarning and bf.q.initIssues questions. When I did that here, I got:

Nodes		Source_Lines	Type				Details
['dev3']	None		Convert warning (unimplemented)	No support for Twice NAT
commented

Here's the root issue for that: #3005