Upgrading to ASA 8.4 – ‘No ACL was changed as part of Real-ip migration’


If you have tried to upgrade your ASA to 8.4, you may or may not have come across the most common error, i.e. –

No ACL was changed as part of Real-ip migration

The reason this happens is because of a conflict between the NAT O statement and Static NATs.

Here’s the message I got when the ASA was upgraded to 8.4:-

INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_5_13_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.2(5)13 "
WARNING: 
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1000, "access-group OUTSIDE_ACL..."
WARNING: 
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1001, "access-group INSIDE_ACL ..."
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs:
 No ACL was changed as part of Real-ip migration

The reason this failed was because it clearly states in the message above that –

Static NATs which overlap with NAT Exempt source are not migrated.

If you have a NAT O that has ‘any’ either in the source or destination field and a Static NAT that consists of an IP from the source/destination subnet of that NAT O statement then you are bound to face that error. Here’s an example of what you want to look out for before upgrading to 8.4;

nat (inside) 0 access-list inside_nat_outbound
access-list inside_nat_outbound extended permit ip 10.1.1.0 255.255.255.0 any

and

static (inside,outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

When your NAT O statement has a subnet that includes the IP that already has a Static NAT it does not create an object for that IP (10.1.1.1). Since it does not create an object it also does not create a NAT and an ACL for it.
So we have three solutions here:-

1. First upgrade your ASA to 8.3(1.7) and then to 8.4(x). Cisco’s Bug Toolkit says that the bug is resolved in 8.3(1.7). I can’t confirm it as I haven’t done that. But I don’t understand that if the bug is resolved in 8.3(1.7) why is it still bugging in 8.4! No pun intended.

OR

2. Remove ONLY the NAT O statement before upgrading. Once the ASA is upgraded to 8.4 you will see that the Static NAT was successfully migrated.

After the upgrade, convert the NAT O statement to a 8.4 Twice NAT syntax and place it in Manual NAT after Auto section of the NAT table. If you do not place it after auto, the NAT Exemption will shadow the Static NAT.

object network obj-10.1.1.0_24
 subnet 10.1.1.0 255.255.255.0
!
object network obj-172.16.1.0_24
 subnet 172.16.1.0 255.255.255.0
!
nat (inside,outside) after-auto source static obj-10.1.1.0_24 obj-10.1.1.0_24 destination static obj-172.16.1.0_24 obj-172.16.1.0_24 no-proxy-arp route-lookup

OR

3. If you have too many NAT O statements to worry about, just get rid of the Static NATs that overlap. Once upgraded to 8.4, configure them using the Manual NAT syntax and place it above the NAT O statement in Manual NAT section of the NAT table.

object network obj-10.1.1.1
 host 10.1.1.1
object network obj-1.1.1.1
 host 1.1.1.1
nat (inside,outside) 1 source static obj-10.1.1.1 obj-1.1.1.1

Let me know if you come across any other reasons for the ACLs not migrating to the Real IP and we can try something out. :-)

Educate me if you think I’m wrong,
Guide me if I have missed out on something,
And, rate/like the post if you found it helpful ;-)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s