In a configuration that includes an ASA, running Bi-direction reachability for an IP address that goes through the SNAT-configured ASA returns empty data.
tokonish opened this issue · comments
[Problem]
In a configuration that includes an ASA, running Bi-direction reachability for an IP address that goes through the SNAT-configured ASA returns empty data.
dev3's NAT settings convert 10.0.12.1 to 20.0.12.1.
[Config] ※Minimum Config
・ dev1
hostname dev1
!
no ip domain lookup
!
interface GigabitEthernet0/1
ip address 10.0.12.1 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.12.2
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
・ dev2
hostname dev2
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.0.12.2 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.23.2 255.255.255.0
no shutdown
!
ip route 10.0.45.0 255.255.255.0 10.0.23.3
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
・ dev3
ASA Version 9.2(3)
hostname dev3
enable password admin
!
interface GigabitEthernet0/0
no shutdown
nameif inside
security-level 100
ip address 10.0.23.3 255.255.255.0
!
interface GigabitEthernet0/1
no shutdown
nameif outside
security-level 0
ip address 10.0.34.3 255.255.255.0
!
access-list all_permit extended permit ip any any
no pager
access-group all_permit in interface outside
!
route inside 10.0.12.0 255.255.255.0 10.0.23.2
route outside 10.0.45.0 255.255.255.0 10.0.34.4
!
object network host-DEV1
host 10.0.12.1
object network host-DEV1_NAT
host 20.0.12.1
object network host-DEV5
host 10.0.45.5
nat (inside,outside) source static host-DEV1 host-DEV1_NAT destination static host-DEV5 host-DEV5
!
console timeout 0
!
end
・ dev4
hostname dev4
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.0.34.4 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.45.4 255.255.255.0
no shutdown
!
ip route 20.0.12.0 255.255.255.0 10.0.34.3
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
・ dev5
hostname dev5
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.0.45.5 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.45.4
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
[Result]
・ CML Ping dev1->dev5
dev1#ping 10.0.45.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms
・ Batfish Bi-directional Reachability(dev1->dev5) Forward
Traceback (most recent call last):
File "/home/testuser/questions.py", line 378, in <module>
main(args)
File "/home/testuser/questions.py", line 32, in main
args.handler(args)
File "/home/testuser/questions.py", line 285, in command_bireachability
for result in bireachability.Forward_Traces[0]:
File "/usr/local/lib/python3.10/dist-packages/pandas/core/series.py", line 879, in __getitem__
return self._values[key]
IndexError: index 0 is out of bounds for axis 0 with size 0
This shows that no data is being returned.
Can you attach server-side logs (docker logs) to this issue?
Looking at the forward trace, I see:
ACCEPTED
1. node: dev1
ORIGINATED(default)
FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.12.2, Routes: [static (Network: 0.0.0.0/0, Next Hop: ip 10.0.12.2)])
TRANSMITTED(GigabitEthernet0/1)
2. node: dev2
RECEIVED(GigabitEthernet0/0)
FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.23.3, Routes: [static (Network: 10.0.45.0/24, Next Hop: ip 10.0.23.3)])
TRANSMITTED(GigabitEthernet0/1)
3. node: dev3
RECEIVED(inside)
FORWARDED(Forwarded out interface: outside with resolved next-hop IP: 10.0.34.4, Routes: [static (Network: 10.0.45.0/24, Next Hop: interface outside ip 10.0.34.4)])
PERMITTED(~COMBINED_OUTGOING_ACL~outside~ (PRE_TRANSFORMATION_EGRESS_FILTER))
SETUP_SESSION(Incoming Interfaces: [outside], Action: PostNatFibLookup, Match Criteria: [ipProtocol=UDP, srcIp=10.0.45.5, dstIp=10.0.12.1, srcPort=33434, dstPort=49152])
TRANSMITTED(outside)
4. node: dev4
RECEIVED(GigabitEthernet0/0)
FORWARDED(Forwarded out interface: GigabitEthernet0/1, Routes: [connected (Network: 10.0.45.0/24, Next Hop: interface GigabitEthernet0/1)])
TRANSMITTED(GigabitEthernet0/1)
5. node: dev5
RECEIVED(GigabitEthernet0/0)
ACCEPTED(GigabitEthernet0/0)
That says to me that NAT didn't happen in the forward direction.
The first thing I do on every new network is run the bf.q.parseWarning
and bf.q.initIssues
questions. When I did that here, I got:
Nodes Source_Lines Type Details
['dev3'] None Convert warning (unimplemented) No support for Twice NAT
Here's the root issue for that: #3005