Guest

Preview Tool

Cisco Bug: CSCvv34059 - ENH: Packet tracer should always show correct matching NAT rule for the reverse flow

Last Modified

Sep 23, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(4) 9.14 9.6(4) 9.8(4)

Description (partial)

Symptom:
Packet tracer may show incorrect matching NAT rule for the reverse flows. This happens if, for example, there are dynamic and static NAT entries for the same host, ICMP error inspection is enabled and the protocol of the reverse flow is not the same as the protocol of the forward flow, e.g. forward flow is TCP to port 443 and reverse flow is ICMP type 3 port 3.

Consider the follow scenario:

For host 198.51.100.1 there are 2 NAT definitions: 1 dynamic NAT in the manual NAT section and 1 object NAT in the auto NAT section:

# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic host-198.51.100.1 host-192.0.2.200
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 198.51.100.1/32, Translated: 192.0.2.200/32

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static host-198.51.100.1 host-192.0.2.100
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 198.51.100.1/32, Translated: 192.0.2.100/32

ICMP error inspection is enabled:

# show run policy-map   | i icmp
  inspect icmp
  inspect icmp error
  
Assume that a host located on the outside network tries to access the host 192.0.2.200 using its mapped IP address 192.0.2.100 and port 443 which is not bound to any service. In this case, the host`s operating system typically returns ICMP Type 3 Code 3 Port Unreachable message to the source host.

ASA1# show capture  capi

2 packets captured

   1: 15:59:55.431175       192.0.2.1.50927 > 198.51.100.1.1234:  udp 1
   2: 15:59:55.431404       198.51.100.1 > 192.0.2.1 icmp: 198.51.100.1 udp port 1234 unreachable <----- ICMP Type 3 Code 3 
2 packets shown
KSEC-ASA5585-60-1# show capture  capo

2 packets captured

   1: 15:59:55.431023       802.1Q vlan#203 P0 192.0.2.1.50927 > 192.0.2.100.1234:  udp 1
   2: 15:59:55.431511       802.1Q vlan#203 P0 192.0.2.100 > 192.0.2.1 icmp: 192.0.2.100 udp port 1234 unreachable <----- ICMP Type 3 Code 3 with translated IP addresses according to the object NAT in the auto NAT section.
2 packets shown

Trace of the forward flow 192.0.2.1.50927 > 198.51.100.1.1234 (only NAT phase is shown):

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network host-198.51.100.1
 nat (inside,outside) static host-192.0.2.100
Additional Information:
NAT divert to egress interface inside
Untranslate 192.0.2.100/1234 to 198.51.100.1/1234

Trace of the reverse flow 198.51.100.1 > 192.0.2.1 icmp: 198.51.100.1 udp port 1234 unreachable (only NAT phase is shown):

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic host-198.51.100.1 host-192.0.2.200
Additional Information:

As seen above, for the reverse flow the matching NAT entry is the dynamic entry, while actually the IP addresses of the ICMP packets were translated according to the object NAT rule in the auto NAT section.

This is an enhancement request to improve the packet tracer to show the correct matching NAT rule for the reverse flow.

Conditions:
The symptoms are observed when all the following known conditions match:

- There are at least  2 NAT statements for the same host.

- Forward and reverse flows of a connection have different protocols. For example, forward flow is UDP or TCP, reverse flow is ICMP.

- ICMP error inspection is enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.