Field Notice: FN - 72439 - ASA and FTD Software: Network Address Translation Might Become Disabled - Software Upgrade Recommended

Available Languages

Updated:March 6, 2023

Document ID:FN72439

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.1	06-Mar-23	Updated the Workaround/Solution Section
1.0	28-Oct-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number
NON-IOS	Adaptive Security Appliance (ASA) Software	9	9.12.4, 9.14.3, 9.16.2
NON-IOS	Adaptive Security Appliance (ASA) Software	Interim	9.12.4 Interim, 9.14.3 Interim, 9.16.2 Interim
NON-IOS	Firepower Threat Defense (FTD) Software	6.4	6.4.0, 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, 6.4.0.8, 6.4.0.9, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.13, 6.4.0.14
NON-IOS	Firepower Threat Defense (FTD) Software	6.6	6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4, 6.6.5, 6.6.5.1
NON-IOS	Firepower Threat Defense (FTD) Software	7.0	7.0.0, 7.0.0.1, 7.0.1, 7.0.1.1

Defect Information

Defect ID	Headline
CSCvz33468	ASA/FTD - NAT stops translating source addresses after changes to object-groups in manual NAT Rule

Problem Description

For some versions of Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, Network Address Translation (NAT) might become disabled after the object-groups in the NAT rule settings are changed.

Background

Cisco ASA and FTD software might not complete the layer 3 (L3) header of an updated source or destination address in the manual NAT rule that references the object-group with an updated nested object.

Problem Symptom

The show nat details command will indicate the new object in the NAT rule and a packet-tracer will show the traffic hitting the proper NAT rule. However, the output from the NAT will be empty as shown in this example of this issue:

Network Topology: Client > (inside) ASA (outside) > Internet Client (local 192.168.100.10, global 1.2.3.4) packet-tracer input inside icmp 192.168.100.10 8 0 X.X.X.X transmit Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any Additional Information: < No data printed > ASA(config)# sh cap out 1 packet captured 1: 23:13:13.030866 192.168.100.10 > X.X.X.X icmp: echo request

Note that the L3 header is not translated per the NAT rule.

Workaround/Solution

Workaround

For ASA-based devices, deactivate and reactivate or remove and re-add the NAT rule as shown in this example:

ASA(config)# nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any inactive ASA(config)# nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any ! ASA(config)# no nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any ASA(config)# nat (any,outside) source dynamic inside_hosts interface destination static obj_any obj_any

For FTD-based devices, use the management platform (Firepower Management Center or Firepower Device Manager) to deactivate the NAT rule and push the policy, then reactivate the NAT rule and push the policy again.

Solution

For ASA-based devices, upgrade to one of the Cisco ASA software versions shown in this table.

Release Version	Fixed Version
9.12.4	9.12.4.38 or later
9.13.x	Not Affected
9.14.3	9.14.4 or later
9.15.x	Not Affected
9.16.x	9.16.3 or later

For FTD-based devices, upgrade to one of the Cisco FTD software versions shown in this table.

Release Version	Fixed Version
6.4.x	6.4.0.15 or later
6.5.x	Not Affected
6.6.x	6.6.5.2 or later
6.7.x	Not Affected
7.0.x	7.0.2 or later

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)