CSCun95075 - ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule
抚顺县ssl适用于网站、小程序/APP、API接口等需要进行数据传输应用场景,ssl证书未来市场广阔!成为成都创新互联的ssl证书销售渠道,可以享受市场价格4-6折优惠!如果有意向欢迎电话联系或者加微信:18980820575(备注:SSL证书合作)期待与您的合作!Symptom:
Once a twice NAT rule with a service translation is added, other traffic on the interface may also be dropped with a reason of nat-no-xlate-to-pat-pool. This is expected behavior and more details can be found here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_fwaaa.html#wp1331733
However, if the NAT rule references an object-group and that object-group is changed while the NAT rule is still configured, traffic may still be dropped even after removing the NAT rule.
Conditions:
All of the following conditions must be matched to see this issue:
1) The ASA is configured with a twice NAT rule that uses a service translation
2) The object-group referenced in the NAT rule is edited (i.e. a new network-object is added to it) while the NAT rule is still configured
3) The NAT rule is removed from the configuration
Workaround:
Reloading the ASA after the offending NAT rule is removed will resolve the issue.
Bug Fixed in release : 9.1.5(1) or 9.1.2(100)
Regards
Karthik
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
分享文章:ASANATBug-创新互联
URL地址:http://lswzjz.com/article/dohgdj.html