Solved: NAT lookup changes in 9.1.5

nairgirish · ‎01-15-2015

I did a upgrade on HA from 9.1.2 to 9.1.5, but after upgrade the lookup behavior has changed.

on 9.1.2 it's NAT

______

packet-tracer input INSIDE tcp 10.10.0.10 5555 1.1.1.1 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp
Additional Information:
NAT divert to egress interface OUTSIDEPUB
Untranslate 1.1.1.1/443 to 1.1.1.1/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 any object-group INLINE_TCP
object-group service INLINE_TCP tcp
port-object eq https
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp
Additional Information:
Static translate 10.10.0.10/5555 to 10.10.0.10/5555

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp
Additional Information:

Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94829, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDEPUB
output-status: up
output-line-status: up
Action: allow

_________

After 9.1.5 it's route lookup

________

packet-tracer input INSIDE tcp 10.10.0.10 5555 1.1.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 any object-group INLINE_TCP
object-group service INLINE_TCP tcp
port-object eq https
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp route-lookup
Additional Information:
Static translate 10.10.0.10/5555 to 10.10.0.10/5555

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp route-lookup
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop

What went wrong. Is there some changes to the new version. I cannot upgrade to higher version as I'm not on a X platform hardware.

Karsten Iwen · ‎01-17-2015

at least there are resolved bugs for route-lookup:

CSCul98420	'Route-Lookup' Behavior Assumed for Twice NAT with Identity Destination

View solution in original post

Karsten Iwen · ‎01-15-2015

Can you post the complete NAT-config for both scenarios? Different rules match in 9.1(2) and 9.1(5).

With v9.1(2):

nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp

You are using NAT-divert to find the egress interface. The NAT rule matches traffic and picks the post-nat-interface OUTSIDEPUB.

With v9.1(5):

nat (INSIDE,OUTSIDE) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp route-lookup

This rule is configured with "route-lookup" which means that the destination address 1.1.1.1 is used to find the egress interface (OUTSIDE) in the routing-table and use a corresponding NAT-rule.

nairgirish · ‎01-16-2015

It's the same NAT config on both box, I did a upgrade on the secondary and then failover to secondary (no configuration changes are seen when compared)

But due to this NAT behavior change I had to failover back to the primary which still runs 9.1(2).

Basically I'm looking for if there are any changes in 9.1(5) for NAT / Route lookup.

Karsten Iwen · ‎01-17-2015

at least there are resolved bugs for route-lookup:

CSCul98420	'Route-Lookup' Behavior Assumed for Twice NAT with Identity Destination

nairgirish · ‎01-20-2015

Does that mean it was a bug till 9.1(2) and 9.1(5) fixed this behavior.

I need to change the NAT rules completely after upgrade to fix the issue.