topic Hi, This might be a known bug in Network Security

Connection to PAT address without pre-existing xlate

Rizwan Khan — Tue, 12 Mar 2019 04:40:29 GMT

Hello Experts,

We recently migrated to ASA 9.1.5 from ASA 8.6. Everything worked well except static object NAT. Let me make you understand with an example.

My inside host 10.12.7.93 is not able to do name resolution from 8.8.8.8. or 8.8.4.4.

object network 10-12-7-93

host 10.12.7.93
nat (INSIDE,OUTSIDE) static 199.96.217.225

end

Packet capture command output is shown below.

packet-tracer input inside udp 10.12.7.93 10056 8.8.8.8 53

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

What i have observed is that there is a policy pat for destinations 8.8.8.8 and 8.8.4.4 for some inside hosts. Not that 10.12.7.93. What can be the issue? is it some bug in ASA 9.1.5? Your suggestions and comments will be really appreciated.

Hi, I presume that is not the

Jouni Forss — Tue, 26 Aug 2014 07:16:49 GMT

Hi,

I presume that is not the full output of the "packet-tracer" or? If not then could you share the complete output?

Unless you have a very large NAT configuration could you also share the NAT configurations.

- Jouni

Hi Jouni,This is complete

Rizwan Khan — Tue, 26 Aug 2014 10:36:03 GMT

Hi Jouni,

This is complete output of packet tracer. The PAT configurations which i was referring to are

nat (INSIDE,OUTSIDE) after-auto source dynamic LOWER-SEGMENT 199-96-218-6 destination static DNS-SERVERS DNS-SERVERS service DNS-TCP DNS-TCP
nat (INSIDE,OUTSIDE) after-auto source dynamic LOWER-SEGMENT 199-96-218-6 destination static DNS-SERVERS DNS-SERVERS service DNS-UDP DNS-UDP

LOWER-SEGMENT object group carries the subnet 10.12.7.0

Above NAT is after auto NAT i.e section 3. While the static nat for 10.12.7.93 is in section 2.

As per the order of NAT, section 2 must be traversed before section 3.

Any idea?

Hi, This might be a known bug

nkarthikeyan — Tue, 26 Aug 2014 13:30:49 GMT

Hi,

This might be a known bug in this version.

https://tools.cisco.com/bugsearch/bug/CSCun81982

Can you try in real time without a packet tracer?

Excerpt from the Bug Tracker:

Packet-tracer showing incorrect result for certain NAT configurations

CSCun81982

Description

Symptom:
Testing a NAT configuration, packet-tracer tool showing a result that differs from the tests based on the actual traffic. Results also depend upon the nature of objects or object-groups used in the NAT ocnfiguration.

The packet-tracer result:

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

Conditions:
Manual NAT configuration using object-groups.

Workaround:
Use NAT configuration based on IP ranges. Test without packet-tracer.

Further Problem Description:

Regards

Karthik

Hi Karthik,I have tested

Rizwan Khan — Tue, 26 Aug 2014 14:07:38 GMT

Hi Karthik,

I have tested using actual traffic. Everything worked fine in ASA 8.6. Ever since i upgraded to 9.1.5 this issue came.

So in my observation, it is not packet tracer issue. Its pointing correctly. Any other idea based on your experience?

Hi, Have you tried without

nkarthikeyan — Tue, 26 Aug 2014 15:57:10 GMT

Hi,

Have you tried without object in NAT... have you tried with ip range directly in the NAT? Because that bug comes when we use object in NAT.

can you try for a sample host with a plain nat without object and confirm me?

Regards

Karthik

Karthik,First of all thank

Rizwan Khan — Wed, 27 Aug 2014 07:26:54 GMT

Karthik,

First of all thank you for the kind consideration.

I will test it without object NAT today and will share the result with you. I am pretty sure it will work that way. The issue is that it was all working well while using 8.6. We have production running and there are 40-50 object NATs running. I cannot afford to add all of them in NAT section 1. Cause this does not make any sense.Since the dynamic PAT is in section 3 and object NAT in section 2. So technically since my traffic matches in section 2 . It should implement that NAT instead of staying in NAT section 3.This is the NAT which is causing conflicts. But this is NAT section 3 and my object NAT for the host is in section 2.

nat (INSIDE,OUTSIDE) after-auto source dynamic LOWER-SEGMENT x.x.x.x destination static DNS-SERVERS DNS-SERVERS service DNS-TCP DNS-TCP
nat (INSIDE,OUTSIDE) after-auto source dynamic LOWER-SEGMENT x.x.x.x destination static DNS-SERVERS DNS-SERVERS service DNS-UDP DNS-UDP

LOWER-SEGMENT: Tthis object group carries the subnet 10.12.7.0/24

While my section 2 NAT is

object network 10-12-7-93
nat (INSIDE,OUTSIDE) static y.y.y.y

end

Hi, Yeah... I agree with your

nkarthikeyan — Wed, 27 Aug 2014 09:44:59 GMT

Hi,

Yeah... I agree with your problem with 9.1x. I suggest you to upgrade to 9.2 version, since i see this as a bug... because the same config and syntax was working with 8.6 version.

Regards

Karthik

Karthik,You are right seems

Rizwan Khan — Wed, 27 Aug 2014 11:25:45 GMT

Karthik,

You are right seems like a bug, but the concerning thing is that Cisco technical support does not know about it. I had opened a case with them and still they have not related it to any Bug.

On Cisco website version 9.1.5 is the recommended version and i do not see any 9.2 with Cisco's recommendation yet. Anyways thanks for your help. Ill post the solution if i am able to find one except that to either upgrade or degrade the firewalls.