Shulou(Shulou.com)06/01 Report--

CSCun95075-ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule

Symptom:

Once a twice NAT rule with a service translation is added, other traffic on the interface may also be dropped with a reason of nat-no-xlate-to-pat-pool. This is expected behavior and more details can be found here:

Http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_fwaaa.html#wp1331733

However, if the NAT rule references an object-group and that object-group is changed while the NAT rule is still configured, traffic may still be dropped even after removing the NAT rule.

Conditions:

All of the following conditions must be matched to see this issue:

1) The ASA is configured with a twice NAT rule that uses a service translation

2) The object-group referenced in the NAT rule is edited (i.e. A new network-object is added to it) while the NAT rule is still configured

3) The NAT rule is removed from the configuration

Workaround:

Reloading the ASA after the offending NAT rule is removed will resolve the issue.

Bug Fixed in release: 9.1.5 (1) or 9.1.2

Regards

Karthik

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.