Thanks, that's clear now. I thought both is called NAT Identity.
On Wed, Sep 4, 2013 at 3:26 PM, Piotr Kaluzny <piotrk_at_ipexpert.com> wrote:
> When you do NAT 0 without an ACL this is called NAT Identity when you
> actually do the translation. You just translate the packet to itself
> keeping the original fields.
>
> With NAT Exemption you are bypassing the NAT process meaning the packet
> will not create an XLATE slot.
>
> Regards,
> --
> Piotr Kaluzny
> CCIE #25665 (Security), CCSP, CCNP
> Sr. Technical Instructor - IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> On Thu, Sep 5, 2013 at 12:25 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>
>> On top of that if I do it without ACL , I can see an output from sh xlate
>> . So only when IM doing this with ACl which makes it bidirectional, xlate
>> output disappears.
>>
>>
>> any idea ?
>>
>>
>> On Wed, Sep 4, 2013 at 3:24 PM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>>
>>> Thanks, but according to this output, there is a output for xlate for
>>> nat 0:
>>>
>>>
>>> http://alexandremspmoraes.wordpress.com/2012/03/13/dealing-with-identity-nat-on-asa-pre-and-post-8-3-configuration-models/
>>>
>>>
>>> On Wed, Sep 4, 2013 at 3:22 PM, Piotr Kaluzny <piotrk_at_ipexpert.com>wrote:
>>>
>>>> Hi
>>>>
>>>> It is all perfectly fine here - NAT Exemption essentially bypasses the
>>>> NAT process meaning there won't be any translation slots for the exempted
>>>> traffic in the XLATE table.
>>>>
>>>> Regards,
>>>> --
>>>> Piotr Kaluzny
>>>> CCIE #25665 (Security), CCSP, CCNP
>>>> Sr. Technical Instructor - IPexpert, Inc.
>>>> URL: http://www.IPexpert.com
>>>>
>>>>
>>>> On Thu, Sep 5, 2013 at 12:01 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>> Can someone please verify that I missing something or ASA 8.0 (2)
>>>>> simply
>>>>> doesnt show xlate for this: (I can see from both pinging from dmz to
>>>>> inside
>>>>> and packet tracer that it does NAT but there is no output in sh xlate)
>>>>>
>>>>> ASA4# sh int ip br
>>>>> Ethernet0/2 7.7.15.10 inside
>>>>> Ethernet0/3 7.7.16.10 dmz
>>>>>
>>>>> nat-control
>>>>> nat (inside) 0 access-list noNAT-inside
>>>>> access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4
>>>>>
>>>>> ASA4# sh xlate det
>>>>> 0 in use, 2 most used
>>>>>
>>>>>
>>>>> ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2
>>>>>
>>>>> Phase: 1
>>>>> Type: CAPTURE
>>>>> Subtype:
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>> MAC Access list
>>>>>
>>>>> Phase: 2
>>>>> Type: ACCESS-LIST
>>>>> Subtype:
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Implicit Rule
>>>>> Additional Information:
>>>>> MAC Access list
>>>>>
>>>>> Phase: 3
>>>>> Type: FLOW-LOOKUP
>>>>> Subtype:
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>> Found no matching flow, creating a new flow
>>>>>
>>>>> Phase: 4
>>>>> Type: ROUTE-LOOKUP
>>>>> Subtype: input
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>> in 7.7.15.0 255.255.255.0 inside
>>>>>
>>>>> Phase: 5
>>>>> Type: ACCESS-LIST
>>>>> Subtype: log
>>>>> Result: ALLOW
>>>>> Config:
>>>>> access-group DMZ in interface dmz
>>>>> access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2
>>>>> Additional Information:
>>>>>
>>>>> Phase: 6
>>>>> Type: IP-OPTIONS
>>>>> Subtype:
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>>
>>>>> Phase: 7
>>>>> Type: INSPECT
>>>>> Subtype: np-inspect
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>>
>>>>> Phase: 8
>>>>> Type: NAT-EXEMPT
>>>>> Subtype: rpf-check
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>>
>>>>> Phase: 9
>>>>> Type: NAT
>>>>> Subtype: host-limits
>>>>> Result: ALLOW
>>>>> Config:
>>>>> nat (dmz) 0 0.0.0.0 0.0.0.0
>>>>> nat-control
>>>>> match ip dmz any outside any
>>>>> no translation group, implicit deny
>>>>> policy_hits = 0
>>>>> Additional Information:
>>>>>
>>>>> Phase: 10
>>>>> Type: NAT
>>>>> Subtype: rpf-check
>>>>> Result: ALLOW
>>>>> Config:
>>>>> nat (inside) 0 0.0.0.0 0.0.0.0
>>>>> nat-control
>>>>> match ip inside any dmz any
>>>>> no translation group, implicit deny
>>>>> policy_hits = 1
>>>>> Additional Information:
>>>>>
>>>>> Phase: 11
>>>>> Type: FLOW-CREATION
>>>>> Subtype:
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>> New flow created with id 588, packet dispatched to next module
>>>>>
>>>>> Phase: 12
>>>>> Type: ROUTE-LOOKUP
>>>>> Subtype: output and adjacency
>>>>> Result: ALLOW
>>>>> Config:
>>>>> Additional Information:
>>>>> found next-hop 7.7.15.2 using egress ifc inside
>>>>> adjacency Active
>>>>> next-hop mac address c204.0d80.0000 hits 3420
>>>>>
>>>>> Result:
>>>>> input-interface: dmz
>>>>> input-status: up
>>>>> input-line-status: up
>>>>> output-interface: inside
>>>>> output-status: up
>>>>> output-line-status: up
>>>>> Action: allow
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 04 2013 - 15:30:29 ART
This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART