topic Some ICMP drop from inside to outside. in Network Security

Some ICMP drop from inside to outside.

Mikael Gustafsson — Tue, 12 Mar 2019 02:36:43 GMT

Hi,

After upgrading from 8.4.x to 9.1.2 I got some drop in ICMP from inside to specific servers on Internet.

When I ping from a server or host on the inside I get the drop-reason nat-no-xlate-to-pat-pool with pacet tracer. If I ping from the ASA it works as I should.

Traffic going this way uses the default dynamic PAT: any - any -> outside interface

If I ping fex 8.8.8.8 there are no problem.

Anyone know the meaning of this drop-reason?

(Also tried 9.0.3 because of a VPN bug but the same result.)

------------------

act/SKL-FW1# sh cap CAP packet-number 3 trace detail

4 packets captured

3: 21:34:06.790425 001a.6ca5.02bf c464.1367.06ab 0x0800 Length: 74

172.22.10.12 > 84.17.x.x: icmp: echo request (ttl 127, id 21136)

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

Cheers

Message was edited by: Mikael Gustafsson

Some ICMP drop from inside to outside.

Julio Carvajal — Wed, 11 Sep 2013 19:24:23 GMT

Hello Mikael,

Can you share the entire output of the packet-tracer ?

Does the packet tracer involves any IP address on the ASA itself?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Some ICMP drop from inside to outside.

Mikael Gustafsson — Thu, 12 Sep 2013 05:11:01 GMT

Hi Julio,

Thats the strange part, this is the entire output of packet no 3. (exept: 1 packet shown)

Cheers

Some ICMP drop from inside to outside.

Julio Carvajal — Thu, 12 Sep 2013 05:19:21 GMT

Okey,

So you are trying to ping from

172.12.112.12 to 84.17.x.x

I mean those 2 IP addresses are public, are you trying to ping from the ASA outside interface to an outside host or do you have a public address range on your inside?

Can you write down a little diagram of what we are trying to do! cause it looks like you are trying to ping the IP address of the ASA (Used on PAT).

Some ICMP drop from inside to outside.

Mikael Gustafsson — Thu, 12 Sep 2013 07:33:01 GMT

Aa sorry, my try to obscure the IP, no need really 🙂

So, ping from inside, private IP range, to two servers on 84.17.x.x give me that error when capturing with trace

If I ping from ASA it works.

Cheers

Some ICMP drop from inside to outside.

Julio Carvajal — Thu, 12 Sep 2013 15:24:25 GMT

Hello Mikael,

So you are pinging 2 outside servers from the internal network?

Are those 2 servers on the outside world or are they being used for a NAT statement?

Do the following:

Packet-tracer input inside icmp inside_host_ip 8 0 84.17.x.x

Then provide us the output,

Some ICMP drop from inside to outside.

Mikael Gustafsson — Fri, 13 Sep 2013 07:09:58 GMT

Hi Julio,

Thanks for your help

Both servers are on the outside. The serve as an outsourced service for the end customer, and to have some sort of monitoring they use Nagios and ping

The result from simulated pacet tracer are the same as from packet tracer on the actual captured packet.

Do you have an explanation of the result, 'nat-no-xlate-to-pat-pool'? What does it mean?

act/SKL-FW1# Packet-tracer input inside icmp 172.22.10.12 8 0 84.17.x.x

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

act/SKL-FW1#

Cheers

Some ICMP drop from inside to outside.

malshbou — Fri, 13 Sep 2013 12:41:16 GMT

Hi Mikael,

This is a known issue in 9.x NAT behaviour. We cannot say it is bug, but it is a re-design for NAT.

The issue occurs when request is made for non-mapped service on a host, for which static identity NAT is configured along with service port translation (either identity or non-identity).

For example, with following NAT rule:

object network MyServer

host 2.1.11.2

nat (outside,inside) static MyServer service tcp www 8080

Making a request to the mapped (outside host) port 8080 from inside host works fine; however request for other services on the outside server (such as SMTP) doesn't go through.

Workaround:

To make other services on the outside server accessible, configure explicit NAT rule to allow the services. For example, to allow access to HTTP as well as SMTP service on above server, configure:

object network MyWWWServer

host 2.1.11.2

nat (outside,inside) static MyWWWServer service tcp www 8080

object network MySMTPServer

host 2.1.11.2

nat (outside,inside) static MySMTPServer service tcp smtp 8025

This issue has been documented in a DOC bug, but it is still not available in Cisco.com bug toolkit.

If you still cannot match the mentioned conditions to your nat config and figure out the missing NAT. Please post your nat config here.

Regards.
Mashal Shboul

Some ICMP drop from inside to outside.

Mikael Gustafsson — Fri, 13 Sep 2013 13:05:56 GMT

Hi Mashal,

So if I understand right, to get ICMP to work I need an to create an extra NAT for just this translation?

Do you have an example?

Cheers

Some ICMP drop from inside to outside.

malshbou — Fri, 13 Sep 2013 13:19:06 GMT

Hi Mikael,

I already mentioned an example.

I cannot accurately answer your question without seeing your NAT rules. But generally you need to add NAT rule to match the flow since one of the flow's IP addresses matches another xlate.

------------------
Mashal Shboul

Some ICMP drop from inside to outside.

Mikael Gustafsson — Fri, 13 Sep 2013 13:48:44 GMT

Yes, I was thinking of an ICMP example.

And thoes servers I try to ping have both other sessions.

sh xlate

TCP PAT from outside:84.17.x.x and

NAT from outside:84.17.x.x

I get an error when I try to configure it. Both on object nat and manual NAT.

(probably me missing something here)

ERROR: real service object includes protocol that doesnt match TCP or UDP.

Re: Some ICMP drop from inside to outside.

Julio Carvajal — Mon, 16 Sep 2013 01:36:02 GMT

Hello Mashal,

I was not aware of that information

Thanks for the information. Kudos to U

Re: Some ICMP drop from inside to outside.

Mikael Gustafsson — Mon, 16 Sep 2013 05:47:56 GMT

Hi Mashal,

Tested this last night and it's working now.

Thanks.

Cheers