Guest

Preview Tool

Cisco Bug: CSCvu18128 - DOC: ASA/FTD NAT Order of Rules

Last Modified

Jun 09, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

99.10(1.112) 99.12(4.6)

Description (partial)

Symptom:
As mentioned in the configuration guides, NAT statements should be configured from most specific to broad. 

But when a dynamic NAT is configured above a static NAT statement with overlapping sources but different destination interfaces. the behavior is that "ignore nat divert" happens, enforcing a route-lookup, and the UN-NAT phase does not occur.

Need to have information about "ignore nat divert" and if there is anyway of controlling it or disabling it.

Conditions:
5585 ASA with different software version "9.8.2.20, 9.12.1" is configure with the following NAT statements:

# nat (inside,dmz) source dynamic obj-192.168.12.0 interface
# nat (inside,outside) source static obj-192.168.12.93 obj-192.168.12.93 destination static obj-10.48.90.100 obj-10.48.90.100

- The issue is when the host "192.168.12.93" is communicating with a destination behind the outside interface (i.e. 10.48.90.100) the traffic is hitting the second static NAT but the translation is done only for the source "Identity translation", the destination section of the NAT is not being hit and the traffic goes through the firewall with the source translated only.

- We see the source overlapping with the first dynamic NAT, but the destination is behind another interface, also the route agrees with this:
-------------------------------------------
ciscoasa(config)# show route

S*       0.0.0.0 0.0.0.0 [1/0] via 10.48.66.1, outside
C        1.1.1.0 255.255.255.0 is directly connected, dmz
L        1.1.1.1 255.255.255.255 is directly connected, dmz
C        10.48.66.0 255.255.254.0 is directly connected, outside
L        10.48.66.8 255.255.255.255 is directly connected, outside
C        192.168.12.0 255.255.255.0 is directly connected, inside
L        192.168.12.8 255.255.255.255 is directly connected, inside
-----------------------------------------

Issue started after the upgrade from (9.1.7.23) to (9.8.2.20).

++ If the static NAT is configured First , issue is resolved.
++ If we specify a destination in the dynamic NAT which does not overlap with the destination of the static NAT issue is resolved [in other words the issue is there if the dynamic nat has no destination].

++ Issue still the same even if we configure the NAT statements the other way around:
nat (outside,inside) source static obj-10.48.90.100 obj-10.48.90.100 destination static obj-192.168.12.93 obj-192.168.12.93
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.