Maybe I've had too much wine, but you have written a NAT exempt, policy-NAT. Why would you expect to see it in the xlate table when you have it exempt?
Excuse me if I've overlooked something. If you want it to appear in the xlate table, use:
Global (dmz) 1 interface
> nat (inside) 1 access-list noNAT-inside
I hope that helps shed some light. ;)
Regards,
Jay McMickle- 2x CCIE #35355 (R/S,Sec)
Sent from my iPhone 5
On Sep 4, 2013, at 5:01 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:
> Hi,
>
>
> Can someone please verify that I missing something or ASA 8.0 (2) simply
> doesnt show xlate for this: (I can see from both pinging from dmz to inside
> and packet tracer that it does NAT but there is no output in sh xlate)
>
> ASA4# sh int ip br
> Ethernet0/2 7.7.15.10 inside
> Ethernet0/3 7.7.16.10 dmz
>
> nat-control
> nat (inside) 0 access-list noNAT-inside
> access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4
>
> ASA4# sh xlate det
> 0 in use, 2 most used
>
>
> ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2
>
> Phase: 1
> Type: CAPTURE
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> MAC Access list
>
> Phase: 2
> Type: ACCESS-LIST
> Subtype:
> Result: ALLOW
> Config:
> Implicit Rule
> Additional Information:
> MAC Access list
>
> Phase: 3
> Type: FLOW-LOOKUP
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
>
> Phase: 4
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 7.7.15.0 255.255.255.0 inside
>
> Phase: 5
> Type: ACCESS-LIST
> Subtype: log
> Result: ALLOW
> Config:
> access-group DMZ in interface dmz
> access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2
> Additional Information:
>
> Phase: 6
> Type: IP-OPTIONS
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
>
> Phase: 7
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> Additional Information:
>
> Phase: 8
> Type: NAT-EXEMPT
> Subtype: rpf-check
> Result: ALLOW
> Config:
> Additional Information:
>
> Phase: 9
> Type: NAT
> Subtype: host-limits
> Result: ALLOW
> Config:
> nat (dmz) 0 0.0.0.0 0.0.0.0
> nat-control
> match ip dmz any outside any
> no translation group, implicit deny
> policy_hits = 0
> Additional Information:
>
> Phase: 10
> Type: NAT
> Subtype: rpf-check
> Result: ALLOW
> Config:
> nat (inside) 0 0.0.0.0 0.0.0.0
> nat-control
> match ip inside any dmz any
> no translation group, implicit deny
> policy_hits = 1
> Additional Information:
>
> Phase: 11
> Type: FLOW-CREATION
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> New flow created with id 588, packet dispatched to next module
>
> Phase: 12
> Type: ROUTE-LOOKUP
> Subtype: output and adjacency
> Result: ALLOW
> Config:
> Additional Information:
> found next-hop 7.7.15.2 using egress ifc inside
> adjacency Active
> next-hop mac address c204.0d80.0000 hits 3420
>
> Result:
> input-interface: dmz
> input-status: up
> input-line-status: up
> output-interface: inside
> output-status: up
> output-line-status: up
> Action: allow
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 04 2013 - 20:27:37 ART
This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART