Type: HOST-LIMIT DROP while NAT

ELIE IBRAHIM — Tue, 12 Mar 2019 01:57:29 GMT

Dear

setting the below configuration the inside devices are not able to nat to outside

runing packet tracer Type: HOST-LIMIT is Dropping althought there is only 1 user

please advise

sh run

: Saved

ASA Version 8.4(6)

enable password

passwd

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.210.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.50 255.255.255.0

boot system disk0:/asa846-k8.bin

ftp mode passive

clock timezone Athens 2

clock summer-time Athens recurring last Sun Mar 23:00 last Sun Oct 23:00

object network obj-192.168.210.11

host 192.168.210.11

object network obj-192.168.210.10

host 192.168.210.10

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.210.0-01

subnet 192.168.210.0 255.255.255.0

access-list incoming extended permit tcp any any eq 5902

access-list incoming extended permit tcp any any eq 5900

access-list incoming extended permit icmp any any

access-list incoming extended permit udp any any eq snmp

access-list outgoing extended permit ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network obj-192.168.210.11

nat (inside,outside) static interface service tcp 5900 5900

object network obj-192.168.210.10

nat (inside,outside) static interface service tcp 5900 5902

object network obj-192.168.210.0-01

nat (inside,outside) dynamic interface

access-group outgoing in interface inside

access-group incoming in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:83319ef6c35b6031987e5c7704d89f3b

: end

# sh local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 0, towards licensed host limit of: 10

Interface outside: 1 active, 4 maximum active, 0 denied

Interface inside: 0 active, 2 maximum active, 0 denied

Interface _internal_loopback: 0 active, 0 maximum active, 0 denied

# packet-tracer in in tcp 192.168.210.10 123 192.168.1.254 www

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.0 255.255.255.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outgoing in interface inside

access-list outgoing extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-192.168.210.0-01

nat (inside,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.210.10/123 to 192.168.1.50/123

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Type: HOST-LIMIT DROP while NAT

Jouni Forss — Thu, 13 Jun 2013 14:21:03 GMT

Hi,

Remember seeing this once before.

Could you please boot the ASA to software level 8.4(5) and try again?

I think this is probably a bug with the 8.4(6) software maintanance release

- Jouni

Type: HOST-LIMIT DROP while NAT

Julio Carvajal — Thu, 13 Jun 2013 17:35:43 GMT

Hello Elie,

Here is the bug ID:

CSCuh23347

Fix:

upgrade to 9.0.2, 9.1.2 or downgrade to 8.2.5. Also works on 8.4.5.6

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Type: HOST-LIMIT DROP while NAT

ELIE IBRAHIM — Fri, 14 Jun 2013 04:47:26 GMT

thanks

upgraded to 902 and it worked

Type: HOST-LIMIT DROP while NAT

Julio Carvajal — Fri, 14 Jun 2013 04:50:59 GMT

Hello Elie,

Amazing, Glad to help,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

topic Type: HOST-LIMIT DROP while NAT in Network Security

Type: HOST-LIMIT DROP while NAT

Type: HOST-LIMIT DROP while NAT

Type: HOST-LIMIT DROP while NAT

Type: HOST-LIMIT DROP while NAT

Type: HOST-LIMIT DROP while NAT