Solved: Re: ASA 8.4(2) NAT problem

Hubert Wisniewski · ‎08-17-2013

Hi,

I'm trying to implement NAT on ASA and I found very strange behavior.

a) I started with dynamic NAT:

object network MY-RANGE-OBJ

range 172.16.1.100 172.16.1.120

object network MY-INSIDE-NET

subnet 10.0.0.0 255.255.255.0

ASA1(config)# object network MY-INSIDE-NET

ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ

ASA1(config-network-object)# sh ru | i nat

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ interfa

ASA1(config-network-object)# sh ru | i nat

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

ASA1(config-network-object)# nat (inside,outside) static interface

WARNING: All traffic destined to the IP address of the outside interface is being redirected.

WARNING: Users may not be able to access any service enabled on the outside interface.

ASA1(config-network-object)# sh ru | i nat

nat (inside,outside) static interface

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

ASA1(config-network-object)#

Why I can't add 'dynamic MY-RANGE-OBJ' or 'dynamic MY-RANGE-OBJ inter' ? I can't see any errors, the commands are ignored

Thank you

Hubert

Jouni Forss · ‎08-17-2013

Hi,

Can you rather post the output of

show run nat

Even though I guess your command should list it also.

You can also configure the same in this way (which is the way I prefer doing it)

This IS NOT inserted under any "object"

nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ

- Jouni

View solution in original post

Jouni Forss · ‎08-17-2013

Hi,

Yes, to my understanding the configuration you mention should work.

We have a firewall running that same software version and generally we have not faced any NAT related problems. Though we dont really use the Network Object NAT / Auto NAT to configure it.

Here is one Bug that seems to match your problem. Though the listed software refers to the ASASM modules starting software and not this software level. But can't be sure the Bug ID notes contain all the information

https://tools.cisco.com/bugsearch/bug/CSCty36464

Picture (click to enlarge)

- Jouni

View solution in original post

Jouni Forss · ‎08-17-2013

Hi,

Can you rather post the output of

show run nat

Even though I guess your command should list it also.

You can also configure the same in this way (which is the way I prefer doing it)

This IS NOT inserted under any "object"

nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ

- Jouni

Hubert Wisniewski · ‎08-17-2013

Hi,

ASA1(config)# object network MY-RANGE-OBJ

ASA1(config-network-object)#

ASA1(config-network-object)# range 172.16.1.100 172.16.1.120

ASA1(config-network-object)#

ASA1(config-network-object)# object network MY-INSIDE-NET

ASA1(config-network-object)#

ASA1(config-network-object)# subnet 10.0.0.0 255.255.255.0

ASA1(config-network-object)# nat

ASA1(config-network-object)# nat (is

ASA1(config-network-object)# nat (ins

ASA1(config-network-object)# nat (inside,o

ASA1(config-network-object)# nat (inside,outside) d

ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ

ASA1(config-network-object)# sh run nat

ASA1(config-network-object)# end

ASA1# sh run nat

ASA1#

ASA1# sh run | b obje

object network MY-RANGE-OBJ

range 172.16.1.100 172.16.1.120

object network MY-INSIDE-NET

subnet 10.0.0.0 255.255.255.0

access-list OUT extended permit icmp host 172.16.1.2 host 10.0.0.10

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

Any idea ?

You're right, below command works fine:

ASA1(config)# nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ

ASA1(config)# sh run nat

!

nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ

ASA1(config)#

By cisco doc the first version should work as well (

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1106144

), is it bug ?

Thanks!

Jouni Forss · ‎08-17-2013

Hi,

Yes, to my understanding the configuration you mention should work.

We have a firewall running that same software version and generally we have not faced any NAT related problems. Though we dont really use the Network Object NAT / Auto NAT to configure it.

Here is one Bug that seems to match your problem. Though the listed software refers to the ASASM modules starting software and not this software level. But can't be sure the Bug ID notes contain all the information

https://tools.cisco.com/bugsearch/bug/CSCty36464

Picture (click to enlarge)

- Jouni

Hubert Wisniewski · ‎08-17-2013

Thanks for the bug details

cheers!

Jouni Forss · ‎08-17-2013

You can naturally try updating the software and see if that takes the problem away. I do remember testing the NAT configuration in the same way you attempted it in your original post and it has worked.

You could for example consider newer softwares in the same Major and Minor release. For example 8.4(5) or 8.4(6)

Here is a list of software leves and feature additions/changes in them

http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html

- Jouni