Re: is this normal ? ASA 8.0(2) NAT with nat-control and ACL from jeremy co on 2013-09-04 (Ccielab archives 09/2013)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Wed, 4 Sep 2013 15:25:45 -0700

On top of that if I do it without ACL , I can see an output from sh xlate .
So only when IM doing this with ACl which makes it bidirectional, xlate
output disappears.

any idea ?

On Wed, Sep 4, 2013 at 3:24 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> Thanks, but according to this output, there is a output for xlate for nat
> 0:
>
>
> http://alexandremspmoraes.wordpress.com/2012/03/13/dealing-with-identity-nat-on-asa-pre-and-post-8-3-configuration-models/
>
>
> On Wed, Sep 4, 2013 at 3:22 PM, Piotr Kaluzny <piotrk_at_ipexpert.com> wrote:
>
>> Hi
>>
>> It is all perfectly fine here - NAT Exemption essentially bypasses the
>> NAT process meaning there won't be any translation slots for the exempted
>> traffic in the XLATE table.
>>
>> Regards,
>> --
>> Piotr Kaluzny
>> CCIE #25665 (Security), CCSP, CCNP
>> Sr. Technical Instructor - IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>>
>> On Thu, Sep 5, 2013 at 12:01 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>>
>>> Hi,
>>>
>>>
>>> Can someone please verify that I missing something or ASA 8.0 (2) simply
>>> doesnt show xlate for this: (I can see from both pinging from dmz to
>>> inside
>>> and packet tracer that it does NAT but there is no output in sh xlate)
>>>
>>> ASA4# sh int ip br
>>> Ethernet0/2 7.7.15.10 inside
>>> Ethernet0/3 7.7.16.10 dmz
>>>
>>> nat-control
>>> nat (inside) 0 access-list noNAT-inside
>>> access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4
>>>
>>> ASA4# sh xlate det
>>> 0 in use, 2 most used
>>>
>>>
>>> ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2
>>>
>>> Phase: 1
>>> Type: CAPTURE
>>> Subtype:
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>> MAC Access list
>>>
>>> Phase: 2
>>> Type: ACCESS-LIST
>>> Subtype:
>>> Result: ALLOW
>>> Config:
>>> Implicit Rule
>>> Additional Information:
>>> MAC Access list
>>>
>>> Phase: 3
>>> Type: FLOW-LOOKUP
>>> Subtype:
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>> Found no matching flow, creating a new flow
>>>
>>> Phase: 4
>>> Type: ROUTE-LOOKUP
>>> Subtype: input
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>> in 7.7.15.0 255.255.255.0 inside
>>>
>>> Phase: 5
>>> Type: ACCESS-LIST
>>> Subtype: log
>>> Result: ALLOW
>>> Config:
>>> access-group DMZ in interface dmz
>>> access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2
>>> Additional Information:
>>>
>>> Phase: 6
>>> Type: IP-OPTIONS
>>> Subtype:
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>>
>>> Phase: 7
>>> Type: INSPECT
>>> Subtype: np-inspect
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>>
>>> Phase: 8
>>> Type: NAT-EXEMPT
>>> Subtype: rpf-check
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>>
>>> Phase: 9
>>> Type: NAT
>>> Subtype: host-limits
>>> Result: ALLOW
>>> Config:
>>> nat (dmz) 0 0.0.0.0 0.0.0.0
>>> nat-control
>>> match ip dmz any outside any
>>> no translation group, implicit deny
>>> policy_hits = 0
>>> Additional Information:
>>>
>>> Phase: 10
>>> Type: NAT
>>> Subtype: rpf-check
>>> Result: ALLOW
>>> Config:
>>> nat (inside) 0 0.0.0.0 0.0.0.0
>>> nat-control
>>> match ip inside any dmz any
>>> no translation group, implicit deny
>>> policy_hits = 1
>>> Additional Information:
>>>
>>> Phase: 11
>>> Type: FLOW-CREATION
>>> Subtype:
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>> New flow created with id 588, packet dispatched to next module
>>>
>>> Phase: 12
>>> Type: ROUTE-LOOKUP
>>> Subtype: output and adjacency
>>> Result: ALLOW
>>> Config:
>>> Additional Information:
>>> found next-hop 7.7.15.2 using egress ifc inside
>>> adjacency Active
>>> next-hop mac address c204.0d80.0000 hits 3420
>>>
>>> Result:
>>> input-interface: dmz
>>> input-status: up
>>> input-line-status: up
>>> output-interface: inside
>>> output-status: up
>>> output-line-status: up
>>> Action: allow
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 04 2013 - 15:25:45 ART

This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART