01-10-2013 06:02 AM - edited 03-11-2019 05:45 PM
Hi, I have following question:
We recently upgraded a firewall from 8.2(2) to 8.4(5). We have following NATs (not all shown below):
nat (Transit,Public) source static any any no-proxy-arp route-lookup
|
Some other NATs
|
object network obj-172.22.10.80
nat (DMZ_CastIron-MGMT,Public) static 206.16.250.202
|
Some other NATs
|
The problem that started happening after the upgrade was that people on the outside could not access 206.16.250.202 anymore. After troubleshooting, it was found that following NAT was getting hit:
nat (Transit,Public) source static any any no-proxy-arp route-lookup
Because of the above NAT, ASA was not translating 206.16.250.202 to 172.22.10.80 and was rather trying to send it back out through the Public interface (U-turning). Packet-tracer confirmed this:
ASA#packet-tracer input Public tcp 182.50.76.10 2345 206.16.250.202 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Public
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Public
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: Public
input-status: up
input-line-status: up
output-interface: Public
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The following line also confirmed it:
ASA(config)# nat (Transit,Public) 4 source static any any no-proxy-arp route-lookup
WARNING: This rule will match all incoming traffic on interface 'Public'.
Use 'unidirectional' option to apply the rule for outgoing traffic only.
To resolve the issue, we had to remove following NAT:
nat (Transit,Public) source static any any no-proxy-arp route-lookup
Thinking about it, it does look correct and logical that the above line was causing the destination IP address to NOT get NATed (because of any any) and ASA was performing a route lookup for 206.16.250.202 because of which it was being routed back out through the Public interface (and getting dropped there).
However, my question is why this problem did not happen when the ASA was on 8.2? On 8.2, the equivalent lines were:
nat (Transit) 0 access-list Transit_nat0_outbound
access-list Transit_nat0_outbound extended permit ip any any
static (DMZ_CastIron-MGMT,Public) 206.16.250.202 172.22.10.80
So, on 8.2, the static for 206.16.250.202 was getting hit and the nat-exempt never caused any issues. Any idea why this would work fine on 8.2 but not on 8.4?
01-10-2013 09:50 AM
You have to create an acl for the internal ip instead of for the externla public. The order of processing changed from 8.2 --> 8.4
01-11-2013 01:39 AM
Hi
8.4 requires you to create object groups unlike 8.3 and older.
Just do some reading on Cisco
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html
HTH
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide