topic Re: problems w/ PAT under 8.3 in Network Security

problems w/ PAT under 8.3

w951duu — Mon, 11 Mar 2019 19:27:14 GMT

We have problems with 8.3 firmware on our ASA.
I try to configure pooled-dynamic-pat and it appears that it is natting properly but doesn\'t do pat but instead does pooled-nat.

According to:
https://supportforums.cisco.com/docs/DOC-9129

object network Inside_network
subnet 172.16.1.0 255.255.255.0
description internal_network_object
object network DMZ_network
subnet 172.16.0.0 255.255.255.0
description dmz_network_object
object network Inside_nat_pool
range 72.232.6.6 72.232.6.8
object network DMZ_nat_pool
range 72.232.6.9 72.232.6.11

I tried both with doule nat rule in global config:
nat (DMZ,outside) source dynamic DMZ_network DMZ_nat_pool

and also with the local (network object singleton) nat rule
object network DMZ_network
nat(DMZ,outside) dynamic DMZ_nat_pool

After pool i exhausted (tried with packettracer and live servers) it returns error message saying it cannot create any new xlate and returns:
%ASA-3-305006: regular translation creation failed

Any help would be much appreciated.

Re: problems w/ PAT under 8.3

Kureli Sankar — Thu, 23 Dec 2010 18:34:59 GMT

That link is talking about

Pre 8.3

 nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 interface 
 global (outside) 1 192.168.100.100-192.168.100.200

8.3:

 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic obj-192.168.100.100_192.168.100.200 interface

But that is not what you have.

Can you try

object network DMZ_network
nat(DMZ,outside) dynamic DMZ_nat_pool interface

Dont' miss my ATE event: https://supportforums.cisco.com/community/netpro/ask-the-expert

-KS

Re: problems w/ PAT under 8.3

michal.bicz — Fri, 24 Dec 2010 10:07:18 GMT

We are talking about the same thing so please accept my update on this matter:

I did try what you suggested and the result is the same. It is not creating pat-pool over few addresses.

WIth interface keyword it creates a pat over one address (of external IF) and then 1-1 nat pool of the pool object group specified in nat command:

NAT from DMZ:172.16.0.102 to outside:1.1.1.10 flags i idle 0:00:40 timeout 3:00:00

NAT from DMZ:172.16.0.101 to outside:1.1.1.9 flags i idle 0:00:48 timeout 3:00:00

UDP PAT from DMZ:172.16.0.163/41364 to outside:1.1.1.2/64950 flags ri idle 0:00:01 timeout 0:00:30

1.1.1.2 is external interface

.9 and .10 are in the DMZ_nat_pool object range

When pool gets exhausted by either packet tracer and or real hosts it cannot create any new translations.

When dynamic pat over pool is configured it is not attempting to use the pat anymore It does nat only for the number of hosts that are in the pool and then stops giving error message.

There was also another nat rule with twice-nat so I added it in front of everything:

nat (DMZ,outside) 1 source dynamic DMZ_network DMZ_nat_pool

That didn't help too.

I did try using 'interface' keyword that you suggested but also no luck.

Do I have to reload the box or do anything else than 'clear xlate' to be effective.

I did try deleting DMZ_nat_pool and DMZ_network objects and re-creating them. No luck

When looking at the debug there is a message:

nat: WARNING - alloc socket in pool -1401456072 failed, prot 17/0, DMZ:172.16.0.5/54435 to outside

As a another idea I tried to do multiple host like mappings for outside traffic hoping it will start doing pat over pool properly.

dfw-prod-asa-01(config)# object network obj_100

dfw-prod-asa-01(config-network-object)# host 1.1.1.100

dfw-prod-asa-01(config-network-object)# exit

dfw-prod-asa-01(config)# object network obj_101

dfw-prod-asa-01(config-network-object)# host 1.1.1.101

dfw-prod-asa-01(config-network-object)# exit

dfw-prod-asa-01(config)# nat (DMZ,outside) source dynamic DMZ_network obj_100

dfw-prod-asa-01(config)# nat (DMZ,outside) source dynamic DMZ_network obj_101

WARNING: Pool (1.1.1.101) overlap with existing pool.

When pool is exhausted any new packet generated is giving such error:

dfw-prod-asa-01(config)# packet-tracer input DMZ icmp 172.16.0.211 0 0 8.8.8.8

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (DMZ,outside) source dynamic DMZ_network DMZ_nat_pool interface

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas?

Has anyone seen this behaviour before?

dfw-prod-asa-01(config)# show ver

Cisco Adaptive Security Appliance Software Version 8.3(2)

Device Manager Version 6.2(1)

Compiled on Fri 30-Jul-10 17:49 by builders

System image file is "disk0:/asa832-k8.bin"

Config file at boot was "startup-config"

dfw-prod-asa-01 up 2 days 20 hours

failover cluster up 9 days 10 hours

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Re: problems w/ PAT under 8.3

Kureli Sankar — Fri, 24 Dec 2010 14:50:55 GMT

Pls. remove this line:

nat (DMZ,outside) 1 source dynamic DMZ_network DMZ_nat_pool

Pls. only use what I had mentioned earlier which is below and see if it works.

object network DMZ_network
nat(DMZ,outside) dynamic DMZ_nat_pool interface

-KS

Re: problems w/ PAT under 8.3

michal.bicz — Fri, 24 Dec 2010 15:04:24 GMT

As I mentioned it does not work as intended.

Outside communication is possible but the PAT is only occuring using the external interface IP address (.2) and not the whole pool.

Using your config:

send 4 pings:

2 executed exhausted the DMZ_nat_pool

then it started PAT over external IP address while it should do PAT over all the IPs from DMZ_nat_pool.

show xlate

ICMP PAT from DMZ:172.16.0.165/38958 to outside:1.1.1.2/54843 flags ri idle 0:00:26 timeout 0:00:30

NAT from DMZ:172.16.0.10 to outside:1.1.1.10 flags i idle 0:02:00 timeout 3:00:00

NAT from DMZ:172.16.0.101 to outside:1.1.1.9 flags i idle 0:01:54 timeout 3:00:00

ICMP PAT from DMZ:172.16.0.163/18493 to outside:1.1.1.2/8051 flags ri idle 0:00:02 timeout 0:00:30

Config:

object network DMZ_nat_pool

range 1.1.1.9 1.1.1.10

object network DMZ_network

subnet 172.16.0.0 255.255.255.0

nat (DMZ,outside) dynamic DMZ_nat_pool interface

Can you try to reproduce this error?

Re: problems w/ PAT under 8.3

Kureli Sankar — Fri, 24 Dec 2010 16:17:37 GMT

I think it is working as expected.

object network DMZ_network
subnet 172.16.0.0 255.255.255.0

object network DMZ_nat_pool
range 72.232.6.9 72.232.6.11

object network DMZ_network
nat(DMZ,outside) dynamic DMZ_nat_pool interface

When the range gets exhaused (DMZ_nat_pool) it is using the interface for PAT. That is what the above command is supposed to do and is doing.

I see both NAT and PAT in the ouput that you posted above. For ICMP and dynamic NAT - I'd enable icmp inspection.

I am not clear as to what you are explaining as incorrect behavior.

-KS

Re: problems w/ PAT under 8.3

w951duu — Fri, 24 Dec 2010 17:56:36 GMT

I think best course of action is to open a case with cisco.

Sent from Iphone

On Dec 24, 2010, at 9:04 AM, "michal.bicz"

Re: problems w/ PAT under 8.3

michal.bicz — Fri, 24 Dec 2010 18:33:47 GMT

Just to clarify. What you have is nat + masquerade pat. We want to do pat over multiple IPs and apparently this is immposible with 8.3(2)

Re: problems w/ PAT under 8.3

Kureli Sankar — Fri, 24 Dec 2010 20:19:45 GMT

nat pool and interface PAT for the DMZ network:

object network DMZ_network
subnet 172.16.0.0 255.255.255.0

object network DMZ_nat_pool
range 72.232.6.9 72.232.6.11

object network DMZ_network
nat(DMZ,outside) dynamic DMZ_nat_pool interface

Second PAT in addition to the above for the same DMZ network:

object network DMZ_network_1
subnet 172.16.0.0 255.255.255.0

object network DMZ_nat_pool
range 72.232.6.9 72.232.6.11

object network second-pat

host 1.1.1.x

object-group network dyn-nat-pat

network-object object DMZ_nat_pool

network-object object second-pat

object network DMZ_network_1
nat(DMZ,outside) dynamic dyn-nat-pat interface

I have added the above as an example in this link: https://supportforums.cisco.com/docs/DOC-9129

under NAT & Interface PAT with additional PAT together.

-KS

Re: problems w/ PAT under 8.3

michal.bicz — Mon, 27 Dec 2010 08:35:25 GMT

I still think we are not on the same page.

I just want to do this and from the traffic and nat table I am unable to do so. I don't need pooled nat but rather a pooled PAT meaning any given host from inside/dmz will be portmaped with the IP from the pool. So in the theory I might have POOL_MEMBERS * 64000 number of connections.

When your config is activated first what is happening is any DMZ host is taking one-by-one members of the pool and because timeout of xlate is longer (3hrs) it stays there in xlate table. Any new connection is then PATed to single IP of .2 with shorter xlate timeout (30s). Essentially this reduces number of connections to only 64000.

show xlate when trying different hosts from DMZ:

TCP PAT from DMZ:172.16.0.121/8213 to outside:72.232.6.2/33144 flags ri idle 0:00:10 timeout 0:00:30

NAT from DMZ:172.16.0.10 to outside:72.232.6.10 flags i idle 0:01:21 timeout 3:00:00

TCP PAT from DMZ:172.16.0.123/8213 to outside:72.232.6.2/33114 flags ri idle 0:00:05 timeout 0:00:30

NAT from DMZ:172.16.0.11 to outside:72.232.6.9 flags i idle 0:01:10 timeout 3:00:00

TCP PAT from DMZ:172.16.0.120/8213 to outside:72.232.6.2/7174 flags ri idle 0:00:15 timeout 0:00:30

pre 8.3 config

---snip---

global (outside) 10 1.1.1.9

global (outside) 10 1.1.1.5

global (outside) 10 1.1.1.6

global (outside) 10 1.1.1.7

global (outside) 10 1.1.1.8

global (outside) 5 12.2.2.33

nat (Inside) 10 172.17.1.0 255.255.255.0

nat (DMZ) 5 access-list acl_outside_1

nat (DMZ) 10 172.17.0.0 255.255.255.0

---snip---

Can you create a PAT pool under 8.3(2) that would reflect the above config?

Regards,

Re: problems w/ PAT under 8.3

Kureli Sankar — Mon, 27 Dec 2010 15:21:09 GMT

I think you didn't refer the sample that I added to this link:https://supportforums.cisco.com/docs/DOC-9129

All you had to do was to add all the pat addresses to the object-group. If you do an upgrade from old 8.2 config to 8.3 the upgrade will automatically do this for you.

Anyway,

Pre 8.3: (only focusing on nat id 10)

global (outside) 10 1.1.1.9

global (outside) 10 1.1.1.5

global (outside) 10 1.1.1.6

global (outside) 10 1.1.1.7

global (outside) 10 1.1.1.8

nat (Inside) 10 172.17.1.0 255.255.255.0

nat (DMZ) 10 172.17.0.0 255.255.255.0

8.3: (I am only providing the conversion for nat ID 10)

object network DMZ-network

subnet 172.17.0.0 255.255.255.0

object network inside-network

subnet 172.17.1.0 255.255.255.0

object network pat-addr-1

host 1.1.1.9

object network pat-addr-2

host 1.1.1.5

object network pat-addr-3

host 1.1.1.6

object network pat-addr-4

host 1.1.1.7

object network pat-addr-5

object-group network 5-pat-addr

network-object object pat-addr-1

network-object object pat-addr-2

network-object object pat-addr-3

network-object object pat-addr-4

network-object objec pat-addr-5

object network DMZ-network

nat (DMZ,outside) dynamic 5-pat-addr

object network inside-network

nat (inside,outside) dynamic 5-pat-addr

-KS

Re: problems w/ PAT under 8.3

michal.bicz — Tue, 28 Dec 2010 11:31:13 GMT

Thank you!

That worked perfectly.

Re: problems w/ PAT under 8.3

Kureli Sankar — Tue, 28 Dec 2010 13:48:41 GMT

Glad to hear. Thanks for rating. Pls. consider marking this thread answered as well.

-KS