cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3987
Views
0
Helpful
1
Replies
mtrcek
Beginner

Problems after upgrading ASA from 8.4.5 to 9.1.1

Hi,

We are having problem with behavior of nat statement after upgrading ASA. Here are results of packet tracer in our testing environment:

object network onBK028VRRP

host 1.1.1.111

object network onSIEMServers

host 1.1.1.1

object service osSyslog

service tcp source eq telnet

object-group network ognBK028ClientsOutside

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) source static onBK028VRRP onSIEMServers destination static ognBK028ClientsOutside ognBK028ClientsOutside service osSyslog osSyslog


ASA 8.4.5

packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group IZOUTSIDE in interface outside

access-list IZOUTSIDE extended permit tcp any any eq www

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xce99ccc8, priority=13, domain=permit, deny=false

        hits=0, user_data=0xc91bc540, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb53d948, priority=0, domain=inspect-ip-options, deny=true

        hits=42, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xcb561758, priority=0, domain=inspect-ip-options, deny=true

        hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 43, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat 

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ASA 9.1.1

packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.0   inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Which option change this?

BR,  M.

1 ACCEPTED SOLUTION

Accepted Solutions
Jennifer Halim
Cisco Employee
1 REPLY 1
Jennifer Halim
Cisco Employee
Create
Recognize Your Peers
Content for Community-Ad