is this normal ? ASA 8.0(2) NAT with nat-control and ACL works from jeremy co on 2013-09-04 (Ccielab archives 09/2013)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Wed, 4 Sep 2013 15:01:09 -0700

Hi,

Can someone please verify that I missing something or ASA 8.0 (2) simply
doesnt show xlate for this: (I can see from both pinging from dmz to inside
and packet tracer that it does NAT but there is no output in sh xlate)

ASA4# sh int ip br
Ethernet0/2 7.7.15.10 inside
Ethernet0/3 7.7.16.10 dmz

nat-control
nat (inside) 0 access-list noNAT-inside
access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4

ASA4# sh xlate det
0 in use, 2 most used

ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 7.7.15.0 255.255.255.0 inside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ in interface dmz
access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
  match ip dmz any outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip inside any dmz any
    no translation group, implicit deny
    policy_hits = 1
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 588, packet dispatched to next module

Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 7.7.15.2 using egress ifc inside
adjacency Active
next-hop mac address c204.0d80.0000 hits 3420

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 04 2013 - 15:01:09 ART

This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART