Symptom
ASA/FTD not fixing up L3 header of updated source or destination address in manual nat rule referencing object-group with updated nested object.
Note: The ASA will show via 'show nat details" the new object in the rule, as well as packet-tracer will show traffic hitting the proper nat rule. However, the output from the nat will be empty. Example below:
Topology
=======
Client > (inside) ASA (outside) > Internet
Client (local 192.168.100.10, global 1.2.3.4)
packet-tracer input inside icmp 192.168.100.10 8 0 X.X.X.X transmit
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any
Additional Information:
>>
ASA(config)# sh cap out
1 packet captured
1: 23:13:13.030866 192.168.100.10 > X.X.X.X icmp: echo request <<< L3 header not translated
Conditions
Object-group updated with new object from which the L3 header is not be fixed up by the edited nat rule (via object-group addition). Example below:
Existing Configuration
=================
object network obj_192.168.100.10
host 192.168.100.10
!
object-group network inside_hosts
network-object object obj_192.168.100.10
!
nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any
Triggering Configuration
==================
object network obj_192.168.100.100
host 192.168.100.100
!
object-group network inside_hosts
network-object object obj_192.168.100.100 <<<< trigger
Workaround
Deactivate and reactivate the nat rule and/or remove and readd the nat rule. Examples below:
nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any inactive
nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any
!
no nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any
nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any
Further Problem Description
