Re: is this normal ? ASA 8.0(2) NAT with nat-control and ACL from Piotr Kaluzny on 2013-09-04 (Ccielab archives 09/2013)

From: Piotr Kaluzny <piotrk_at_ipexpert.com>
Date: Thu, 5 Sep 2013 00:26:48 +0200

When you do NAT 0 without an ACL this is called NAT Identity when you
actually do the translation. You just translate the packet to itself
keeping the original fields.

With NAT Exemption you are bypassing the NAT process meaning the packet
will not create an XLATE slot.

Regards,

--
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com
On Thu, Sep 5, 2013 at 12:25 AM, jeremy co <jeremy.cool14_at_gmail.com> wrote:
> On top of that if I do it without ACL , I can see an output from sh xlate
> . So only when IM doing this with ACl which makes it bidirectional, xlate
> output disappears.
>
>
> any idea ?
>
>
> On Wed, Sep 4, 2013 at 3:24 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:
>
>> Thanks, but according to this output, there is a output for xlate for nat
>> 0:
>>
>>
>> http://alexandremspmoraes.wordpress.com/2012/03/13/dealing-with-identity-nat-on-asa-pre-and-post-8-3-configuration-models/
>>
>>
>> On Wed, Sep 4, 2013 at 3:22 PM, Piotr Kaluzny <piotrk_at_ipexpert.com>wrote:
>>
>>> Hi
>>>
>>> It is all perfectly fine here - NAT Exemption essentially bypasses the
>>> NAT process meaning there won't be any translation slots for the exempted
>>> traffic in the XLATE table.
>>>
>>> Regards,
>>> --
>>> Piotr Kaluzny
>>> CCIE #25665 (Security), CCSP, CCNP
>>> Sr. Technical Instructor - IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>>>
>>>
>>> On Thu, Sep 5, 2013 at 12:01 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>>>
>>>> Hi,
>>>>
>>>>
>>>> Can someone please verify that I missing something or ASA 8.0 (2) simply
>>>> doesnt show xlate for this: (I can see from both pinging from dmz to
>>>> inside
>>>> and packet tracer that it does NAT but there is no output in sh xlate)
>>>>
>>>> ASA4# sh int ip br
>>>> Ethernet0/2                7.7.15.10      inside
>>>> Ethernet0/3                7.7.16.10      dmz
>>>>
>>>> nat-control
>>>> nat (inside) 0 access-list noNAT-inside
>>>> access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4
>>>>
>>>> ASA4# sh xlate det
>>>> 0 in use, 2 most used
>>>>
>>>>
>>>> ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2
>>>>
>>>> Phase: 1
>>>> Type: CAPTURE
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> MAC Access list
>>>>
>>>> Phase: 2
>>>> Type: ACCESS-LIST
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Implicit Rule
>>>> Additional Information:
>>>> MAC Access list
>>>>
>>>> Phase: 3
>>>> Type: FLOW-LOOKUP
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> Found no matching flow, creating a new flow
>>>>
>>>> Phase: 4
>>>> Type: ROUTE-LOOKUP
>>>> Subtype: input
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> in   7.7.15.0        255.255.255.0   inside
>>>>
>>>> Phase: 5
>>>> Type: ACCESS-LIST
>>>> Subtype: log
>>>> Result: ALLOW
>>>> Config:
>>>> access-group DMZ in interface dmz
>>>> access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2
>>>> Additional Information:
>>>>
>>>> Phase: 6
>>>> Type: IP-OPTIONS
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>>
>>>> Phase: 7
>>>> Type: INSPECT
>>>> Subtype: np-inspect
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>>
>>>> Phase: 8
>>>> Type: NAT-EXEMPT
>>>> Subtype: rpf-check
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>>
>>>> Phase: 9
>>>> Type: NAT
>>>> Subtype: host-limits
>>>> Result: ALLOW
>>>> Config:
>>>> nat (dmz) 0 0.0.0.0 0.0.0.0
>>>> nat-control
>>>>   match ip dmz any outside any
>>>>     no translation group, implicit deny
>>>>     policy_hits = 0
>>>> Additional Information:
>>>>
>>>> Phase: 10
>>>> Type: NAT
>>>> Subtype: rpf-check
>>>> Result: ALLOW
>>>> Config:
>>>> nat (inside) 0 0.0.0.0 0.0.0.0
>>>> nat-control
>>>>   match ip inside any dmz any
>>>>     no translation group, implicit deny
>>>>     policy_hits = 1
>>>> Additional Information:
>>>>
>>>> Phase: 11
>>>> Type: FLOW-CREATION
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> New flow created with id 588, packet dispatched to next module
>>>>
>>>> Phase: 12
>>>> Type: ROUTE-LOOKUP
>>>> Subtype: output and adjacency
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> found next-hop 7.7.15.2 using egress ifc inside
>>>> adjacency Active
>>>> next-hop mac address c204.0d80.0000 hits 3420
>>>>
>>>> Result:
>>>> input-interface: dmz
>>>> input-status: up
>>>> input-line-status: up
>>>> output-interface: inside
>>>> output-status: up
>>>> output-line-status: up
>>>> Action: allow
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Thu Sep 05 2013 - 00:26:48 ART

This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART