Thanks, but according to this output, there is a output for xlate for nat 0:
On Wed, Sep 4, 2013 at 3:22 PM, Piotr Kaluzny <piotrk_at_ipexpert.com> wrote:
> Hi
>
> It is all perfectly fine here - NAT Exemption essentially bypasses the NAT
> process meaning there won't be any translation slots for the exempted
> traffic in the XLATE table.
>
> Regards,
> --
> Piotr Kaluzny
> CCIE #25665 (Security), CCSP, CCNP
> Sr. Technical Instructor - IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> On Thu, Sep 5, 2013 at 12:01 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>
>> Hi,
>>
>>
>> Can someone please verify that I missing something or ASA 8.0 (2) simply
>> doesnt show xlate for this: (I can see from both pinging from dmz to
>> inside
>> and packet tracer that it does NAT but there is no output in sh xlate)
>>
>> ASA4# sh int ip br
>> Ethernet0/2 7.7.15.10 inside
>> Ethernet0/3 7.7.16.10 dmz
>>
>> nat-control
>> nat (inside) 0 access-list noNAT-inside
>> access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4
>>
>> ASA4# sh xlate det
>> 0 in use, 2 most used
>>
>>
>> ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2
>>
>> Phase: 1
>> Type: CAPTURE
>> Subtype:
>> Result: ALLOW
>> Config:
>> Additional Information:
>> MAC Access list
>>
>> Phase: 2
>> Type: ACCESS-LIST
>> Subtype:
>> Result: ALLOW
>> Config:
>> Implicit Rule
>> Additional Information:
>> MAC Access list
>>
>> Phase: 3
>> Type: FLOW-LOOKUP
>> Subtype:
>> Result: ALLOW
>> Config:
>> Additional Information:
>> Found no matching flow, creating a new flow
>>
>> Phase: 4
>> Type: ROUTE-LOOKUP
>> Subtype: input
>> Result: ALLOW
>> Config:
>> Additional Information:
>> in 7.7.15.0 255.255.255.0 inside
>>
>> Phase: 5
>> Type: ACCESS-LIST
>> Subtype: log
>> Result: ALLOW
>> Config:
>> access-group DMZ in interface dmz
>> access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2
>> Additional Information:
>>
>> Phase: 6
>> Type: IP-OPTIONS
>> Subtype:
>> Result: ALLOW
>> Config:
>> Additional Information:
>>
>> Phase: 7
>> Type: INSPECT
>> Subtype: np-inspect
>> Result: ALLOW
>> Config:
>> Additional Information:
>>
>> Phase: 8
>> Type: NAT-EXEMPT
>> Subtype: rpf-check
>> Result: ALLOW
>> Config:
>> Additional Information:
>>
>> Phase: 9
>> Type: NAT
>> Subtype: host-limits
>> Result: ALLOW
>> Config:
>> nat (dmz) 0 0.0.0.0 0.0.0.0
>> nat-control
>> match ip dmz any outside any
>> no translation group, implicit deny
>> policy_hits = 0
>> Additional Information:
>>
>> Phase: 10
>> Type: NAT
>> Subtype: rpf-check
>> Result: ALLOW
>> Config:
>> nat (inside) 0 0.0.0.0 0.0.0.0
>> nat-control
>> match ip inside any dmz any
>> no translation group, implicit deny
>> policy_hits = 1
>> Additional Information:
>>
>> Phase: 11
>> Type: FLOW-CREATION
>> Subtype:
>> Result: ALLOW
>> Config:
>> Additional Information:
>> New flow created with id 588, packet dispatched to next module
>>
>> Phase: 12
>> Type: ROUTE-LOOKUP
>> Subtype: output and adjacency
>> Result: ALLOW
>> Config:
>> Additional Information:
>> found next-hop 7.7.15.2 using egress ifc inside
>> adjacency Active
>> next-hop mac address c204.0d80.0000 hits 3420
>>
>> Result:
>> input-interface: dmz
>> input-status: up
>> input-line-status: up
>> output-interface: inside
>> output-status: up
>> output-line-status: up
>> Action: allow
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 04 2013 - 15:24:08 ART
This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART