Cisco Bug: CSCvv34059 - ENH: Packet tracer should always show correct matching NAT rule for the reverse flow
Sep 23, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
9.12(4) 9.14 9.6(4) 9.8(4)
Symptom: Packet tracer may show incorrect matching NAT rule for the reverse flows. This happens if, for example, there are dynamic and static NAT entries for the same host, ICMP error inspection is enabled and the protocol of the reverse flow is not the same as the protocol of the forward flow, e.g. forward flow is TCP to port 443 and reverse flow is ICMP type 3 port 3. Consider the follow scenario: For host 198.51.100.1 there are 2 NAT definitions: 1 dynamic NAT in the manual NAT section and 1 object NAT in the auto NAT section: # show nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic host-198.51.100.1 host-192.0.2.200 translate_hits = 0, untranslate_hits = 0 Source - Origin: 198.51.100.1/32, Translated: 192.0.2.200/32 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static host-198.51.100.1 host-192.0.2.100 translate_hits = 0, untranslate_hits = 0 Source - Origin: 198.51.100.1/32, Translated: 192.0.2.100/32 ICMP error inspection is enabled: # show run policy-map | i icmp inspect icmp inspect icmp error Assume that a host located on the outside network tries to access the host 192.0.2.200 using its mapped IP address 192.0.2.100 and port 443 which is not bound to any service. In this case, the host`s operating system typically returns ICMP Type 3 Code 3 Port Unreachable message to the source host. ASA1# show capture capi 2 packets captured 1: 15:59:55.431175 192.0.2.1.50927 > 198.51.100.1.1234: udp 1 2: 15:59:55.431404 198.51.100.1 > 192.0.2.1 icmp: 198.51.100.1 udp port 1234 unreachable <----- ICMP Type 3 Code 3 2 packets shown KSEC-ASA5585-60-1# show capture capo 2 packets captured 1: 15:59:55.431023 802.1Q vlan#203 P0 192.0.2.1.50927 > 192.0.2.100.1234: udp 1 2: 15:59:55.431511 802.1Q vlan#203 P0 192.0.2.100 > 192.0.2.1 icmp: 192.0.2.100 udp port 1234 unreachable <----- ICMP Type 3 Code 3 with translated IP addresses according to the object NAT in the auto NAT section. 2 packets shown Trace of the forward flow 192.0.2.1.50927 > 198.51.100.1.1234 (only NAT phase is shown): Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: object network host-198.51.100.1 nat (inside,outside) static host-192.0.2.100 Additional Information: NAT divert to egress interface inside Untranslate 192.0.2.100/1234 to 198.51.100.1/1234 Trace of the reverse flow 198.51.100.1 > 192.0.2.1 icmp: 198.51.100.1 udp port 1234 unreachable (only NAT phase is shown): Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic host-198.51.100.1 host-192.0.2.200 Additional Information: As seen above, for the reverse flow the matching NAT entry is the dynamic entry, while actually the IP addresses of the ICMP packets were translated according to the object NAT rule in the auto NAT section. This is an enhancement request to improve the packet tracer to show the correct matching NAT rule for the reverse flow. Conditions: The symptoms are observed when all the following known conditions match: - There are at least 2 NAT statements for the same host. - Forward and reverse flows of a connection have different protocols. For example, forward flow is UDP or TCP, reverse flow is ICMP. - ICMP error inspection is enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases