Hi
It is all perfectly fine here - NAT Exemption essentially bypasses the NAT
process meaning there won't be any translation slots for the exempted
traffic in the XLATE table.
Regards,
-- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Technical Instructor - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Sep 5, 2013 at 12:01 AM, jeremy co <jeremy.cool14_at_gmail.com> wrote: > Hi, > > > Can someone please verify that I missing something or ASA 8.0 (2) simply > doesnt show xlate for this: (I can see from both pinging from dmz to inside > and packet tracer that it does NAT but there is no output in sh xlate) > > ASA4# sh int ip br > Ethernet0/2 7.7.15.10 inside > Ethernet0/3 7.7.16.10 dmz > > nat-control > nat (inside) 0 access-list noNAT-inside > access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4 > > ASA4# sh xlate det > 0 in use, 2 most used > > > ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2 > > Phase: 1 > Type: CAPTURE > Subtype: > Result: ALLOW > Config: > Additional Information: > MAC Access list > > Phase: 2 > Type: ACCESS-LIST > Subtype: > Result: ALLOW > Config: > Implicit Rule > Additional Information: > MAC Access list > > Phase: 3 > Type: FLOW-LOOKUP > Subtype: > Result: ALLOW > Config: > Additional Information: > Found no matching flow, creating a new flow > > Phase: 4 > Type: ROUTE-LOOKUP > Subtype: input > Result: ALLOW > Config: > Additional Information: > in 7.7.15.0 255.255.255.0 inside > > Phase: 5 > Type: ACCESS-LIST > Subtype: log > Result: ALLOW > Config: > access-group DMZ in interface dmz > access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2 > Additional Information: > > Phase: 6 > Type: IP-OPTIONS > Subtype: > Result: ALLOW > Config: > Additional Information: > > Phase: 7 > Type: INSPECT > Subtype: np-inspect > Result: ALLOW > Config: > Additional Information: > > Phase: 8 > Type: NAT-EXEMPT > Subtype: rpf-check > Result: ALLOW > Config: > Additional Information: > > Phase: 9 > Type: NAT > Subtype: host-limits > Result: ALLOW > Config: > nat (dmz) 0 0.0.0.0 0.0.0.0 > nat-control > match ip dmz any outside any > no translation group, implicit deny > policy_hits = 0 > Additional Information: > > Phase: 10 > Type: NAT > Subtype: rpf-check > Result: ALLOW > Config: > nat (inside) 0 0.0.0.0 0.0.0.0 > nat-control > match ip inside any dmz any > no translation group, implicit deny > policy_hits = 1 > Additional Information: > > Phase: 11 > Type: FLOW-CREATION > Subtype: > Result: ALLOW > Config: > Additional Information: > New flow created with id 588, packet dispatched to next module > > Phase: 12 > Type: ROUTE-LOOKUP > Subtype: output and adjacency > Result: ALLOW > Config: > Additional Information: > found next-hop 7.7.15.2 using egress ifc inside > adjacency Active > next-hop mac address c204.0d80.0000 hits 3420 > > Result: > input-interface: dmz > input-status: up > input-line-status: up > output-interface: inside > output-status: up > output-line-status: up > Action: allow > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Thu Sep 05 2013 - 00:22:45 ART
This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART