BugZero | Cisco BugID CSCwe80278 - Dynamic interface NAT rules cause SSH/ICMP to fail...

Cisco - Defect ID: CSCwe80278

Dynamic interface NAT rules cause SSH/ICMP to fail with nat-no-xlate-to-pat-pool in ASA cluster

Cisco - Defect ID: CSCwe80278

Dynamic interface NAT rules cause SSH/ICMP to fail with nat-no-xlate-to-pat-pool in ASA cluster

Last updated on January 27th, 2025

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

In an ASA cluster with at least 2 devices SSH and ICMP will fail with the following ASP drop should any unit other than the control node receive that traffic instead of being redirected to the control node as intended: - Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) A packet capture with trace enable will show the following: 1: 20:15:30.907027 802.1Q vlan#1000 P0 192.168.1.1.57432 > 192.168.2.1.22: S 1032924300:1032924300(0) win 65535 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.122.169.73 using egress ifc identity Result: input-interface: Outside input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate Interface configuration will be similar to the following: interface Port-channel1.1 nameif Outside security-level 0 ip address 192.168.2.1 255.255.255.0 This is seen with a dynamic NAT interface configuration that may look as follows: NOTE: These objects do not overlap with the network an admin is using SSH or ICMP from. object network Test_1 nat (Inside,Outside) dynamic interface object network Test_2 nat (Inside,Outside) dynamic interface object network Test_3 nat (Inside,Outside) dynamic interface object network Test_1 subnet 192.168.100.0 255.255.255.0 object network Test_2 subnet 192.168.200.0 255.255.255.0 object network Test_3 subnet 192.168.300.0 255.255.255.0

Conditions

- ASA devices are in a cluster of 2 or more. - SSH/ICMP traffic goes to any unit other than the control node - Dynamic interface NAT rules present overlapping with interface that uses SSH/ICMP

Workaround

- Remove the dynamic interface NAT rules - Replace the dynamic interface NAT rules using a specific IP to translate subnets to that does not overlap with the interface seeing the nat-no-xlate-to-pat-pool drops

Further Problem Description

Change history

2025-03-27 Added: 9.10.1, 9.10.1.10, 9.10.1.11, 9.10.1.17, 9.10.1.2, 9.10.1.22, 9.10.1.27, 9.10.1.30, 9.10.1.32, 9.10.1.37, 9.10.1.40, 9.10.1.42, 9.10.1.44, 9.10.1.7, 9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1, 9.12.2.4, 9.12.2.5, 9.12.2.9, 9.12.3, 9.12.3.12, 9.12.3.2, 9.12.3.7, 9.12.3.9, 9.12.4, 9.12.4.10, 9.12.4.13, 9.12.4.18, 9.12.4.2, 9.12.4.24, 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.4, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.12.4.52, 9.12.4.54, 9.12.4.55, 9.12.4.56, 9.12.4.7, 9.12.4.8, 9.13.1, 9.13.1.10, 9.13.1.12, 9.13.1.13, 9.13.1.16, 9.13.1.19, 9.13.1.2, 9.13.1.21, 9.13.1.7, 9.14.1, 9.14.1.10, 9.14.1.15, 9.14.1.19, 9.14.1.30, 9.14.1.6, 9.14.2, 9.14.2.13, 9.14.2.15, 9.14.2.4, 9.14.2.8, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.15, 9.14.4.17, 9.14.4.22, 9.14.4.23, 9.14.4.24, 9.14.4.6, 9.14.4.7, 9.8.1, 9.8.1.5, 9.8.1.7, 9.8.2, 9.8.2.14, 9.8.2.15, 9.8.2.17, 9.8.2.20, 9.8.2.24, 9.8.2.26, 9.8.2.28, 9.8.2.33, 9.8.2.35, 9.8.2.38, 9.8.2.45, 9.8.2.8, 9.8.3, 9.8.3.11, 9.8.3.14, 9.8.3.16, 9.8.3.18, 9.8.3.21, 9.8.3.26, 9.8.3.29, 9.8.3.8, 9.8.4, 9.8.4.10, 9.8.4.12, 9.8.4.15, 9.8.4.17, 9.8.4.20, 9.8.4.22, 9.8.4.25, 9.8.4.26, 9.8.4.29, 9.8.4.3, 9.8.4.32, 9.8.4.33, 9.8.4.34, 9.8.4.35, 9.8.4.39, 9.8.4.40, 9.8.4.41, 9.8.4.43, 9.8.4.44, 9.8.4.45, 9.8.4.46, 9.8.4.48, 9.8.4.7, 9.8.4.8, 9.9.1, 9.9.1.2, 9.9.1.3, 9.9.1.4, 9.9.1.5, 9.9.2, 9.9.2.1, 9.9.2.14, 9.9.2.18, 9.9.2.235, 9.9.2.25, 9.9.2.27, 9.9.2.32, 9.9.2.36, 9.9.2.40, 9.9.2.47, 9.9.2.50, 9.9.2.52, 9.9.2.56, 9.9.2.59, 9.9.2.61, 9.9.2.66, 9.9.2.67, 9.9.2.74, 9.9.2.80, 9.9.2.83, 9.9.2.85, 9.9.2.9

Links

Original Vendor Announcement

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.10.1, 9.10.1.10, 9.10.1.11, 9.10.1.17, 9.10.1.2, 9.10.1.22, 9.10.1.27, 9.10.1.30, 9.10.1.32, 9.10.1.37, 9.10.1.40, 9.10.1.42, 9.10.1.44, 9.10.1.7, 9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1, 9.12.2.4, 9.12.2.5, 9.12.2.9, 9.12.3, 9.12.3.12, 9.12.3.2, 9.12.3.7, 9.12.3.9, 9.12.4, 9.12.4.10, 9.12.4.13, 9.12.4.18, 9.12.4.2, 9.12.4.24, 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.4, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.12.4.52, 9.12.4.54, 9.12.4.55, 9.12.4.56, 9.12.4.7, 9.12.4.8, 9.13.1, 9.13.1.10, 9.13.1.12, 9.13.1.13, 9.13.1.16, 9.13.1.19, 9.13.1.2, 9.13.1.21, 9.13.1.7, 9.14.1, 9.14.1.10, 9.14.1.15, 9.14.1.19, 9.14.1.30, 9.14.1.6, 9.14.2, 9.14.2.13, 9.14.2.15, 9.14.2.4, 9.14.2.8, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.15, 9.14.4.17, 9.14.4.22, 9.14.4.23, 9.14.4.24, 9.14.4.6, 9.14.4.7, 9.8.1, 9.8.1.5, 9.8.1.7, 9.8.2, 9.8.2.14, 9.8.2.15, 9.8.2.17, 9.8.2.20, 9.8.2.24, 9.8.2.26, 9.8.2.28, 9.8.2.33, 9.8.2.35, 9.8.2.38, 9.8.2.45, 9.8.2.8, 9.8.3, 9.8.3.11, 9.8.3.14, 9.8.3.16, 9.8.3.18, 9.8.3.21, 9.8.3.26, 9.8.3.29, 9.8.3.8, 9.8.4, 9.8.4.10, 9.8.4.12, 9.8.4.15, 9.8.4.17, 9.8.4.20, 9.8.4.22, 9.8.4.25, 9.8.4.26, 9.8.4.29, 9.8.4.3, 9.8.4.32, 9.8.4.33, 9.8.4.34, 9.8.4.35, 9.8.4.39, 9.8.4.40, 9.8.4.41, 9.8.4.43, 9.8.4.44, 9.8.4.45, 9.8.4.46, 9.8.4.48, 9.8.4.7, 9.8.4.8, 9.9.1, 9.9.1.2, 9.9.1.3, 9.9.1.4, 9.9.1.5, 9.9.2, 9.9.2.1, 9.9.2.14, 9.9.2.18, 9.9.2.235, 9.9.2.25, 9.9.2.27, 9.9.2.32, 9.9.2.36, 9.9.2.40, 9.9.2.47, 9.9.2.50, 9.9.2.52, 9.9.2.56, 9.9.2.59, 9.9.2.61, 9.9.2.66, 9.9.2.67, 9.9.2.74, 9.9.2.80, 9.9.2.83, 9.9.2.85, 9.9.2.9

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Fixed versions: No known fixed versions

Top Cisco Defects by Risk Score

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwe80278

Dynamic interface NAT rules cause SSH/ICMP to fail with nat-no-xlate-to-pat-pool in ASA cluster

Cisco - Defect ID: CSCwe80278

Dynamic interface NAT rules cause SSH/ICMP to fail with nat-no-xlate-to-pat-pool in ASA cluster

Last updated on January 27th, 2025

BugZero Risk Score7.8 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
7.8 High