Solved: Problems after upgrading ASA from 8.4.5 to 9.1.1

mtrcek · ‎02-04-2013

Hi,

We are having problem with behavior of nat statement after upgrading ASA. Here are results of packet tracer in our testing environment:

object network onBK028VRRP

host 1.1.1.111

object network onSIEMServers

host 1.1.1.1

object service osSyslog

service tcp source eq telnet

object-group network ognBK028ClientsOutside

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) source static onBK028VRRP onSIEMServers destination static ognBK028ClientsOutside ognBK028ClientsOutside service osSyslog osSyslog

ASA 8.4.5

packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 1.1.1.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group IZOUTSIDE in interface outside

access-list IZOUTSIDE extended permit tcp any any eq www

Additional Information:

Forward Flow based lookup yields rule:

in id=0xce99ccc8, priority=13, domain=permit, deny=false

hits=0, user_data=0xc91bc540, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb53d948, priority=0, domain=inspect-ip-options, deny=true

hits=42, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xcb561758, priority=0, domain=inspect-ip-options, deny=true

hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 43, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ASA 9.1.1

packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 1.1.1.0 255.255.255.0 inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Which option change this?

BR, M.

Jennifer Halim · ‎02-05-2013

Looks like you are hitting the following bug: CSCud64705

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud64705

View solution in original post

Jennifer Halim · ‎02-05-2013

Looks like you are hitting the following bug: CSCud64705

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud64705