Guest

Cisco PIX 500 Series Security Appliances

PIX OS 6.3(2) Deferral - NAT 0 Translation Loss


Revised August 28, 2003

August 11, 2003



Products Affected

Product

Comment

PIX OS 6.3(2)

Cisco PIX Security Appliance Series Operating System Release 6.3(2)

Problem Description

PIX Security Appliances running PIX OS release 6.3(2) will not display any newly or previously configured nat 0 address translation rules in their running configuration. If this running configuration is saved to the startup configuration and the system is rebooted, the nat 0 translation rules will disappear from the running and startup configurations and will not be active.

Background

PIX release 6.3(2) correctly executes nat 0 address translation rules entered in the configuration terminal or stored in the startup configuration. However, such commands are not recorded in the running configuration. If the running configuration is then written to the startup configuration and the unit rebooted all traces of nat 0 address translation rules are lost.

This bug does not affect nat 0 access-list configurations which are commonly used in IPSec VPN. Inbound static translation rules from one address or network to the same address or network are not affected either. Only nat 0 translation rules also known as identity NAT rules, are affected.

Problem Symptoms

When nat 0 translation rules are configured on a PIX running 6.3(2) it will execute translations based on those rules but will not display them in the running configuration:

pixfirewall3# configure terminal
pixfirewall3(config)# show nat 
pixfirewall3(config)# show running-config | grep nat
(notice no output, no NAT 0 rules yet exist)
pixfirewall3(config)# nat (inside) 0 0 0 
nat 0 0.0.0.0 will be identity translated for outbound
pixfirewall3(config)# show nat
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
pixfirewall3(config)# show running-config | grep nat
(now there are NAT 0 rules in effect but not in the running configuration due to bug CSCeb84163)

If the running configuration is then copied to flash it will be copied without any nat 0 translation rules.

pixfirewall3(config)# write memory
Building configuration...
Cryptochecksum: 999abc5c 0da8b6f7 20e34eec cf9bb414 
[OK]
pixfirewall3(config)# show nat
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
pixfirewall3(config)# show running-config | grep nat
pixfirewall3(config)# show startup-config | grep nat
(the NAT 0 translation is still in effect but is not saved in either the running or flash configuration files)

Once the PIX is rebooted all nat 0 translation rules disappear completely from the box and no nat 0 translations take place:

pixfirewall3# reload
(...reload takes place...)
pixfirewall3# show nat 
pixfirewall3# show running-config | grep nat
pixfirewall3# show startup-config | grep nat
(after the reboot there are no NAT 0 rules in effect or in place in either configuration)

The same symptoms will occur if the nat 0 translation rules are presently saved in a flash configuration from a previous release, the PIX is upgraded to 6.3(2), a write memory is executed and the unit is rebooted again.

Workaround/Solution

Nat 0 translation rules loaded from the startup configuration or entered via a configuration terminal will function properly on a PIX running 6.3(2) even if they do not appear in the running configuration. However, there is no way to include nat 0 translation rules in the running configuration and therefore such rules will be lost when write memory is used to copy the running configuration to the startup configuration. Systems that have been rebooted and lost their nat 0 translation rules may have those rules entered again; they will be retained and executed until the next reboot.

PIX release 6.3(2) has been deferred and removed from the Cisco.com Software Center. PIX release 6.3(3) includes a fix for bug CSCeb84163 and is now available from the Software Center. All customers running 6.3(2) or an engineering build based on 6.3(2) should upgrade to 6.3(3) or later releases when made available.

PIX releases are located on Cisco.com on Software Center.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCeb84163 (registered customers only)

PIX does not retain NAT 0 entries after a reload

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: