Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2894
Views
0
Helpful
16
Replies

NAT issue on 8.4 but it was working fine on 8.2

Hemant Sajwan
Level 1
Level 1

‎01-10-2013 06:02 AM - edited ‎03-11-2019 05:45 PM

Hi, I have following question:

We recently upgraded a firewall from 8.2(2) to 8.4(5). We have following NATs (not all shown below):

nat (Transit,Public) source static any any no-proxy-arp route-lookup

|

Some other NATs

|

object network obj-172.22.10.80

nat (DMZ_CastIron-MGMT,Public) static 206.16.250.202

|

Some other NATs

|

The problem that started happening after the upgrade was that people on the outside could not access 206.16.250.202 anymore. After troubleshooting, it was found that following NAT was getting hit:

nat (Transit,Public) source static any any no-proxy-arp route-lookup

Because of the above NAT, ASA was not translating 206.16.250.202 to 172.22.10.80 and was rather trying to send it back out through the Public interface (U-turning). Packet-tracer confirmed this:

ASA#packet-tracer input Public tcp 182.50.76.10 2345 206.16.250.202 443

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Public

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Public

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: Public

input-status: up

input-line-status: up

output-interface: Public

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The following line also confirmed it:

ASA(config)# nat (Transit,Public) 4 source static any any no-proxy-arp route-lookup

WARNING: This rule will match all incoming traffic on interface 'Public'.

Use 'unidirectional' option to apply the rule for outgoing traffic only.

To resolve the issue, we had to remove following NAT:

nat (Transit,Public) source static any any no-proxy-arp route-lookup

Thinking about it, it does look correct and logical that the above line was causing the destination IP address to NOT get NATed (because of any any) and ASA was performing a route lookup for 206.16.250.202 because of which it was being routed back out through the Public interface (and getting dropped there).

However, my question is why this problem did not happen when the ASA was on 8.2? On 8.2, the equivalent lines were:

nat (Transit) 0 access-list Transit_nat0_outbound

access-list Transit_nat0_outbound extended permit ip any any

static (DMZ_CastIron-MGMT,Public) 206.16.250.202 172.22.10.80

So, on 8.2, the static for 206.16.250.202 was getting hit and the nat-exempt never caused any issues. Any idea why this would work fine on 8.2 but not on 8.4?

Labels:
0 Helpful
16 Replies 16

Johan.Broer
Level 1
Level 1

‎01-10-2013 09:50 AM

You have to create an acl for the internal ip instead of for the externla public. The order of processing changed from 8.2 --> 8.4

0 Helpful

danielciscoswart
Level 1
Level 1

‎01-11-2013 01:39 AM

Hi

8.4 requires you to create object groups unlike 8.3 and older.

Just do some reading on Cisco

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html

HTH

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card