topic Re: ASA v9.12.x nat problem in Network Security

ASA v9.12.x nat problem

takkerZAB — Thu, 30 May 2019 19:43:02 GMT

Hello.

i have config on asa 5525-x v9.10.2 and before it. Config working fine.

1) nat (internet,dmz) source static any any destination static x.x.x.x 10.200.5.1 service https https no-proxy-arp
2) nat (inside,dmz) source static any any destination static x.x.x.x 10.200.5.1 service https https no-proxy-arp

when I updated to the 9.12.1 and 9.12.2 version, an error appeared. Line 2 can not be added.
"ERROR: NAT unable to reserve ports"

Please tell me. What`s the problem in 9.12.X version ?

Re: ASA v9.12.x nat problem

Maykol Rojas — Thu, 30 May 2019 21:13:24 GMT

I honestly don't think it is version related.

Is the x.x.x.x the Public IP address of the firewall? If so, if ASDM is enable, you will get this error message.

Mike.

Re: ASA v9.12.x nat problem

takkerZAB — Fri, 31 May 2019 05:28:19 GMT

x.x.x.x sipmle public address from routed network. Not interface address.

Re: ASA v9.12.x nat problem

takkerZAB — Fri, 31 May 2019 07:28:51 GMT

same problem with 9.9.9.9 and 10.10.10.10

5525x(config)# nat (internet,inside) 10 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
5525x(config)# nat (internet2,inside) 11 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.

Re: ASA v9.12.x nat problem

takkerZAB — Mon, 03 Jun 2019 12:58:34 GMT

There is still a problem. Please help.

Re: ASA v9.12.x nat problem

Oscar Castillo — Mon, 03 Jun 2019 13:34:14 GMT

Looking at the IP address, it seems to be that the assigned to the interface on the ASA.

The issue is, that your firewall has the port 443 enable for ASDM.

Also, look where you are pointing the destination address to the interface on the ASA.

To better assist you, please paste the configuration here.

Thanks,

Oscar

Re: ASA v9.12.x nat problem

takkerZAB — Mon, 03 Jun 2019 14:20:33 GMT

@Oscar Castillo wrote:
Looking at the IP address, it seems to be that the assigned to the interface on the ASA.
The issue is, that your firewall has the port 443 enable for ASDM.

Also, look where you are pointing the destination address to the interface on the ASA.

To better assist you, please paste the configuration here.

Thanks,
Oscar

My test configuration:

Re: ASA v9.12.x nat problem

navion — Tue, 04 Jun 2019 10:01:51 GMT

Seems that ASDM 9.12.2 is completely broken, you also get error messages with ACLs, because it sends a nonexisting command:

[ERROR] access-list mode manual-commit
access-list mode manual-commit
            ^
ERROR: % Invalid input detected at '^' marker.

Re: ASA v9.12.x nat problem

Maykol Rojas — Tue, 04 Jun 2019 13:45:24 GMT

If due to security reasons you cannot share the configuration, I would suggest opening a TAC ticket, because we might need to see the entire configuration to verify where the error is.

Mike.

Re: ASA v9.12.x nat problem

Maykol Rojas — Tue, 04 Jun 2019 13:46:09 GMT

Hi,

Would you be able to describe the steps to reproduce this problem?

Mike.

Re: ASA v9.12.x nat problem

navion — Tue, 04 Jun 2019 13:57:17 GMT

1. Open ASDM > Configuration > Firewall > Advanced > ACL Manager
2. Add new ACL
3. Add new ACE
4. When you click Apply, an error window appears.

Also applies to existing ACLs in the Access Rules section with ASDM 7.12.2 and ASA 9.8.3 or 9.12.2.

Re: ASA v9.12.x nat problem

Maykol Rojas — Tue, 04 Jun 2019 14:09:11 GMT

Awesome.

When you upgraded the Firewall version, did you also upgrade the ASDM?

What ASDM version are you using?

Re: ASA v9.12.x nat problem

navion — Tue, 04 Jun 2019 14:46:18 GMT

I upgraded only ASDM.
The issue present in both versions: 9.8.3 with the existing configuration on 5516-X and 9.12.2 with a clean install on ASAv.

Re: ASA v9.12.x nat problem

Maykol Rojas — Tue, 04 Jun 2019 15:21:05 GMT

What version of ASDM are you running?

Re: ASA v9.12.x nat problem

navion — Tue, 04 Jun 2019 15:22:44 GMT

ASDM 7.12.2

Re: ASA v9.12.x nat problem

takkerZAB — Wed, 05 Jun 2019 06:39:36 GMT

Please open a new topic for discussion ASDM.

Re: ASA v9.12.x nat problem

takkerZAB — Wed, 05 Jun 2019 06:58:35 GMT

Tested on clean asa 5515-x. Same problem!

asa5515x(config)# nat (internet,inside) 1 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
asa5515x(config)# nat (internet2,inside) 2 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.

ASA Version 9.12(2)
!
hostname asa5515x
domain-name
enable password
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif internet
security-level 0
ip address 7.7.7.7 255.255.255.0
!
interface GigabitEthernet0/1
nameif internet2
security-level 0
ip address 7.7.8.7 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.7.8.7 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.10.5.235 255.255.255.0
!
boot system disk0:/asa9-12-2-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name sgb.rus
object service 3389
service tcp destination eq 3389
object-group network 9.9.9.9
network-object host 9.9.9.9
object-group network 10.10.10.10
network-object host 10.10.10.10
pager lines 24
mtu management 1500
mtu internet 1500
mtu internet2 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (internet,inside) source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 60
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Re: ASA v9.12.x nat problem

takkerZAB — Thu, 06 Jun 2019 11:08:04 GMT

Does anyone have a similar problem?

Re: ASA v9.12.x nat problem

provoz — Wed, 19 Jun 2019 05:28:55 GMT

Yes me too. After update to ASA 9.12(2) and ASDM 7.12(2) getting error:

[ERROR] access-list mode manual-commit

access-list mode manual-commit
^
ERROR: % Invalid input detected at '^' marker.

[OK] no access-list ******* line 25 remark ********
[OK] access-list ********* line 25 remark *********
[OK] access-list ******** line 26 extended permit ip host ******* any
[ERROR] access-list commit

access-list commit
ERROR: % Incomplete command

[ERROR] access-list mode auto-commit

access-list mode auto-commit
^
ERROR: % Invalid input detected at '^' marker.

Re: ASA v9.12.x nat problem

Elpakko — Wed, 19 Jun 2019 04:49:29 GMT

@provoz wrote:
Yes me too. After update to ASA 9.12(2) and 7.12(2) getting error:

[ERROR] access-list mode manual-commit

access-list mode manual-commit
^
ERROR: % Invalid input detected at '^' marker.

[OK] no access-list ******* line 25 remark ********
[OK] access-list ********* line 25 remark *********
[OK] access-list ******** line 26 extended permit ip host ******* any
[ERROR] access-list commit

access-list commit
ERROR: % Incomplete command

[ERROR] access-list mode auto-commit

access-list mode auto-commit
^
ERROR: % Invalid input detected at '^' marker.

For me also exactly the same error every time I Apply Access Rules. ASDM 7.12(2) and ASA 9.12(2). Any updates on this how to fix it?