Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Some ICMP drop from inside to outside.

Hi,

After upgrading from 8.4.x to 9.1.2 I got some drop in ICMP from inside to specific servers on Internet.

When I ping from a server or host on the inside I get the drop-reason nat-no-xlate-to-pat-pool with pacet tracer. If I ping from the ASA it works as I should.

Traffic going this way uses the default dynamic PAT: any - any -> outside interface

If I ping fex 8.8.8.8 there are no problem.

Anyone know the meaning of this drop-reason?

(Also tried 9.0.3 because of a VPN bug but the same result.)

------------------

act/SKL-FW1# sh cap CAP packet-number 3 trace detail

4 packets captured

   3: 21:34:06.790425 001a.6ca5.02bf c464.1367.06ab 0x0800 Length: 74

      172.22.10.12 > 84.17.x.x: icmp: echo request (ttl 127, id 21136)

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

Cheers

Message was edited by: Mikael Gustafsson

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Some ICMP drop from inside to outside.

Hi Mikael,

This is a known issue in 9.x NAT behaviour. We cannot say it is bug, but it is a re-design for NAT.

The issue occurs when request is made for non-mapped service on a host,  for which static identity NAT is configured along with service port  translation (either identity or non-identity).

For example, with following NAT rule:

object network MyServer

host 2.1.11.2

nat (outside,inside) static MyServer service tcp www 8080

Making  a request to the mapped (outside host) port 8080 from inside host works  fine; however request for other services on the outside server (such as  SMTP) doesn't go through.

Workaround:

To make other services on the outside server  accessible, configure explicit NAT rule to allow the services. For  example, to allow access to HTTP as well as SMTP service on above  server, configure:

object network MyWWWServer

host 2.1.11.2

nat (outside,inside) static MyWWWServer service tcp www 8080

object network MySMTPServer

host 2.1.11.2

nat (outside,inside) static MySMTPServer service tcp smtp 8025

This issue has been documented in a DOC bug, but it is still not available in Cisco.com bug toolkit.

If you still cannot match the mentioned conditions to your nat config and figure out the  missing NAT. Please post your nat config here.

Regards.
Mashal Shboul

------------------ Mashal Shboul
12 REPLIES

Some ICMP drop from inside to outside.

Hello Mikael,

Can you share the entire output of the packet-tracer ?

Does the packet tracer involves any IP address on the ASA itself?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Some ICMP drop from inside to outside.

Hi Julio,

Thats the strange part, this is the entire output of packet no 3.  (exept:  1 packet shown)

Cheers

Some ICMP drop from inside to outside.

Okey,

So you are trying to ping from

      172.12.112.12 to  84.17.x.x

I mean those 2 IP addresses are public, are you trying to ping from the ASA outside interface to an outside host or do you have a public address range on your inside?

Can you write down a little diagram of what we are trying to do! cause it looks like you are trying to ping the IP address of the ASA (Used on PAT).

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Some ICMP drop from inside to outside.

Aa sorry, my try to obscure the IP, no need really :-)

So,  ping from inside, private IP range, to two servers on 84.17.x.x give me that error when capturing with trace

If I ping from ASA it works.

Cheers

Some ICMP drop from inside to outside.

Hello Mikael,

So you are pinging 2 outside servers from the internal network?

Are those 2 servers on the outside world or are they being used for a NAT statement?

Do the following:

Packet-tracer input inside icmp inside_host_ip 8 0  84.17.x.x

Then provide us the output,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Some ICMP drop from inside to outside.

Hi Julio,

Thanks for your help

Both servers are on the outside. The serve as an outsourced service for the end customer, and to have some sort of monitoring they use Nagios and ping

The result from simulated pacet tracer are the same as from packet tracer on the actual captured packet.

Do you have an explanation of the result, 'nat-no-xlate-to-pat-pool'? What does it mean?

act/SKL-FW1# Packet-tracer input inside icmp 172.22.10.12 8 0  84.17.x.x

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

act/SKL-FW1#

Cheers

Bronze

Some ICMP drop from inside to outside.

Hi Mikael,

This is a known issue in 9.x NAT behaviour. We cannot say it is bug, but it is a re-design for NAT.

The issue occurs when request is made for non-mapped service on a host,  for which static identity NAT is configured along with service port  translation (either identity or non-identity).

For example, with following NAT rule:

object network MyServer

host 2.1.11.2

nat (outside,inside) static MyServer service tcp www 8080

Making  a request to the mapped (outside host) port 8080 from inside host works  fine; however request for other services on the outside server (such as  SMTP) doesn't go through.

Workaround:

To make other services on the outside server  accessible, configure explicit NAT rule to allow the services. For  example, to allow access to HTTP as well as SMTP service on above  server, configure:

object network MyWWWServer

host 2.1.11.2

nat (outside,inside) static MyWWWServer service tcp www 8080

object network MySMTPServer

host 2.1.11.2

nat (outside,inside) static MySMTPServer service tcp smtp 8025

This issue has been documented in a DOC bug, but it is still not available in Cisco.com bug toolkit.

If you still cannot match the mentioned conditions to your nat config and figure out the  missing NAT. Please post your nat config here.

Regards.
Mashal Shboul

------------------ Mashal Shboul
New Member

Some ICMP drop from inside to outside.

Hi Mashal,

So if I understand right, to get ICMP to work I need an to create an extra NAT for just this translation?

Do you have an example?

Cheers

Bronze

Some ICMP drop from inside to outside.

Hi Mikael,

I already mentioned an example.

I cannot accurately answer your question without seeing your NAT rules. But generally you need to add NAT rule to match the flow since one of the flow's IP addresses matches another xlate.

------------------
Mashal Shboul

------------------ Mashal Shboul
New Member

Some ICMP drop from inside to outside.

Yes, I was thinking of an ICMP example.

And thoes servers I try to ping have both other sessions.

sh xlate

TCP PAT from outside:84.17.x.x  and

NAT from outside:84.17.x.x

I get an error when I try to configure it. Both on object nat and manual NAT.

(probably me missing something here)

ERROR: real service object includes protocol that doesnt match TCP or UDP.

Re: Some ICMP drop from inside to outside.

Hello Mashal,

I was not aware of that information

Thanks for the information. Kudos to U

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Some ICMP drop from inside to outside.

Hi Mashal,

Tested this last night and it's working now.

Thanks.

Cheers

768
Views
10
Helpful
12
Replies