Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
184
Views
0
Helpful
1
Replies

ASA5580-20 UN-NAT issue after upgrade from 8.4(4)1 to 8.4(7)23

Miroslav Georgiev
Level 1
Level 1

‎12-13-2014 07:15 AM - edited ‎03-11-2019 10:13 PM

Dear all,

UN-NAT for those type of rules stopped after upgrading from 8.4(4)1 to 8.4(7)23:

nat (inside,dmz) source static obj-192.168.50.182 obj-1.1.1.1

 

packet-tracer 8.4(4)1:

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe8cc12d70, priority=1, domain=permit, deny=false
        hits=5910456, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static obj-192.168.50.182 obj-1.1.1.1
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.1/8009 to 192.168.50.182/8009

Phase: 3      
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_acl in interface dmz
access-list dmz_acl extended permit tcp host 1.1.1.1 host 192.168.50.182 eq 8009 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe88bf3160, priority=13, domain=permit, deny=false
        hits=197, user_data=0x7ffe79eb1d40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=1.1.1.1, mask=255.255.255.255, port=0
        dst ip/id=192.168.50.182, mask=255.255.255.255, port=8009, dscp=0x0
        input_ifc=dmz, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe8cc13370, priority=0, domain=inspect-ip-options, deny=true
        hits=292572, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

 

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe8cc12a70, priority=20, domain=lu, deny=false
        hits=12578, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,dmz) source static obj-192.168.50.182 obj-1.1.1.1
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7ffe8d0723e0, priority=6, domain=nat-reverse, deny=false
        hits=198, user_data=0x7ffe8c5e2320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.50.182, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=inside

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffe8e1f7a20, priority=0, domain=inspect-ip-options, deny=true
        hits=378226, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:       
Additional Information:
New flow created with id 719559, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

 

packet-tracer 8.4(7)23:

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe8b36d970, priority=1, domain=permit, deny=false
        hits=349664567, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=dmz, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

 

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_acl in interface dmz
access-list dmz_acl extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe8c55f2c0, priority=13, domain=permit, deny=false
        hits=526702, user_data=0x7ffe79333180, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe8b310500, priority=0, domain=inspect-ip-options, deny=true
        hits=5396981, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe8a6e2590, priority=20, domain=lu, deny=false
        hits=273057, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=dmz, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffe8a589780, priority=0, domain=inspect-ip-options, deny=true
        hits=5920889, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

 

Phase: 7
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 16451958, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

 

Labels:
0 Helpful
1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎12-15-2014 04:48 AM

Hi,

Yes , this is expected because of some NAT defects being fixed on the ASA code.

https://tools.cisco.com/bugsearch/bug/CSCtq47028/?reffering_site=dumpcr

https://tools.cisco.com/bugsearch/bug/CSCuf71119/?reffering_site=dumpcr

If you have some NAT statements which have stopped working , I think you would have to downgrade the ASA code.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card