09-11-2013 04:27 AM - edited 03-11-2019 07:36 PM
Hi,
After upgrading from 8.4.x to 9.1.2 I got some drop in ICMP from inside to specific servers on Internet.
When I ping from a server or host on the inside I get the drop-reason nat-no-xlate-to-pat-pool with pacet tracer. If I ping from the ASA it works as I should.
Traffic going this way uses the default dynamic PAT: any - any -> outside interface
If I ping fex 8.8.8.8 there are no problem.
Anyone know the meaning of this drop-reason?
(Also tried 9.0.3 because of a VPN bug but the same result.)
------------------
act/SKL-FW1# sh cap CAP packet-number 3 trace detail
4 packets captured
3: 21:34:06.790425 001a.6ca5.02bf c464.1367.06ab 0x0800 Length: 74
172.22.10.12 > 84.17.x.x: icmp: echo request (ttl 127, id 21136)
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
Cheers
Message was edited by: Mikael Gustafsson
Solved! Go to Solution.
09-13-2013 05:41 AM
Hi Mikael,
This is a known issue in 9.x NAT behaviour. We cannot say it is bug, but it is a re-design for NAT.
The issue occurs when request is made for non-mapped service on a host, for which static identity NAT is configured along with service port translation (either identity or non-identity).
For example, with following NAT rule:
object network MyServer
host 2.1.11.2
nat (outside,inside) static MyServer service tcp www 8080
Making a request to the mapped (outside host) port 8080 from inside host works fine; however request for other services on the outside server (such as SMTP) doesn't go through.
Workaround:
To make other services on the outside server accessible, configure explicit NAT rule to allow the services. For example, to allow access to HTTP as well as SMTP service on above server, configure:
object network MyWWWServer
host 2.1.11.2
nat (outside,inside) static MyWWWServer service tcp www 8080
object network MySMTPServer
host 2.1.11.2
nat (outside,inside) static MySMTPServer service tcp smtp 8025
This issue has been documented in a DOC bug, but it is still not available in Cisco.com bug toolkit.
If you still cannot match the mentioned conditions to your nat config and figure out the missing NAT. Please post your nat config here.
Regards.
Mashal Shboul
09-11-2013 12:24 PM
Hello Mikael,
Can you share the entire output of the packet-tracer ?
Does the packet tracer involves any IP address on the ASA itself?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-11-2013 10:11 PM
Hi Julio,
Thats the strange part, this is the entire output of packet no 3. (exept: 1 packet shown)
Cheers
09-11-2013 10:19 PM
Okey,
So you are trying to ping from
172.12.112.12 to 84.17.x.x
I mean those 2 IP addresses are public, are you trying to ping from the ASA outside interface to an outside host or do you have a public address range on your inside?
Can you write down a little diagram of what we are trying to do! cause it looks like you are trying to ping the IP address of the ASA (Used on PAT).
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-12-2013 12:33 AM
Aa sorry, my try to obscure the IP, no need really :-)
So, ping from inside, private IP range, to two servers on 84.17.x.x give me that error when capturing with trace
If I ping from ASA it works.
Cheers
09-12-2013 08:24 AM
Hello Mikael,
So you are pinging 2 outside servers from the internal network?
Are those 2 servers on the outside world or are they being used for a NAT statement?
Do the following:
Packet-tracer input inside icmp inside_host_ip 8 0 84.17.x.x
Then provide us the output,
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-13-2013 12:09 AM
Hi Julio,
Thanks for your help
Both servers are on the outside. The serve as an outsourced service for the end customer, and to have some sort of monitoring they use Nagios and ping
The result from simulated pacet tracer are the same as from packet tracer on the actual captured packet.
Do you have an explanation of the result, 'nat-no-xlate-to-pat-pool'? What does it mean?
act/SKL-FW1# Packet-tracer input inside icmp 172.22.10.12 8 0 84.17.x.x
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
act/SKL-FW1#
Cheers
09-13-2013 05:41 AM
Hi Mikael,
This is a known issue in 9.x NAT behaviour. We cannot say it is bug, but it is a re-design for NAT.
The issue occurs when request is made for non-mapped service on a host, for which static identity NAT is configured along with service port translation (either identity or non-identity).
For example, with following NAT rule:
object network MyServer
host 2.1.11.2
nat (outside,inside) static MyServer service tcp www 8080
Making a request to the mapped (outside host) port 8080 from inside host works fine; however request for other services on the outside server (such as SMTP) doesn't go through.
Workaround:
To make other services on the outside server accessible, configure explicit NAT rule to allow the services. For example, to allow access to HTTP as well as SMTP service on above server, configure:
object network MyWWWServer
host 2.1.11.2
nat (outside,inside) static MyWWWServer service tcp www 8080
object network MySMTPServer
host 2.1.11.2
nat (outside,inside) static MySMTPServer service tcp smtp 8025
This issue has been documented in a DOC bug, but it is still not available in Cisco.com bug toolkit.
If you still cannot match the mentioned conditions to your nat config and figure out the missing NAT. Please post your nat config here.
Regards.
Mashal Shboul
09-13-2013 06:05 AM
Hi Mashal,
So if I understand right, to get ICMP to work I need an to create an extra NAT for just this translation?
Do you have an example?
Cheers
09-13-2013 06:19 AM
Hi Mikael,
I already mentioned an example.
I cannot accurately answer your question without seeing your NAT rules. But generally you need to add NAT rule to match the flow since one of the flow's IP addresses matches another xlate.
------------------
Mashal Shboul
09-13-2013 06:48 AM
Yes, I was thinking of an ICMP example.
And thoes servers I try to ping have both other sessions.
sh xlate
TCP PAT from outside:84.17.x.x and
NAT from outside:84.17.x.x
I get an error when I try to configure it. Both on object nat and manual NAT.
(probably me missing something here)
ERROR: real service object includes protocol that doesnt match TCP or UDP.
09-15-2013 06:36 PM
Hello Mashal,
I was not aware of that information
Thanks for the information. Kudos to U
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-15-2013 10:47 PM
Hi Mashal,
Tested this last night and it's working now.
Thanks.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide