Can you show output from both, with ACL and not.
Sent from handheld.
On Sep 8, 2013, at 11:11 AM, "jeremy co" <jeremy.cool14_at_gmail.com> wrote:
> On top of that if I do it without ACL , I can see an output from sh xlate .
> So only when IM doing this with ACl which makes it bidirectional, xlate
> output disappears.
>
>
> any idea ?
>
>
> On Wed, Sep 4, 2013 at 3:24 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:
>
>> Thanks, but according to this output, there is a output for xlate for nat
>> 0:
>>
>>
>> http://alexandremspmoraes.wordpress.com/2012/03/13/dealing-with-identity-nat-on-asa-pre-and-post-8-3-configuration-models/
>>
>>
>> On Wed, Sep 4, 2013 at 3:22 PM, Piotr Kaluzny <piotrk_at_ipexpert.com> wrote:
>>
>>> Hi
>>>
>>> It is all perfectly fine here - NAT Exemption essentially bypasses the
>>> NAT process meaning there won't be any translation slots for the exempted
>>> traffic in the XLATE table.
>>>
>>> Regards,
>>> --
>>> Piotr Kaluzny
>>> CCIE #25665 (Security), CCSP, CCNP
>>> Sr. Technical Instructor - IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>>>
>>>
>>> On Thu, Sep 5, 2013 at 12:01 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>>>
>>>> Hi,
>>>>
>>>>
>>>> Can someone please verify that I missing something or ASA 8.0 (2) simply
>>>> doesnt show xlate for this: (I can see from both pinging from dmz to
>>>> inside
>>>> and packet tracer that it does NAT but there is no output in sh xlate)
>>>>
>>>> ASA4# sh int ip br
>>>> Ethernet0/2 7.7.15.10 inside
>>>> Ethernet0/3 7.7.16.10 dmz
>>>>
>>>> nat-control
>>>> nat (inside) 0 access-list noNAT-inside
>>>> access-list noNAT-inside extended permit ip host 7.7.15.2 host 7.7.16.4
>>>>
>>>> ASA4# sh xlate det
>>>> 0 in use, 2 most used
>>>>
>>>>
>>>> ASA4# packet-tracer input dmz icmp 7.7.16.4 8 0 7.7.15.2
>>>>
>>>> Phase: 1
>>>> Type: CAPTURE
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> MAC Access list
>>>>
>>>> Phase: 2
>>>> Type: ACCESS-LIST
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Implicit Rule
>>>> Additional Information:
>>>> MAC Access list
>>>>
>>>> Phase: 3
>>>> Type: FLOW-LOOKUP
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> Found no matching flow, creating a new flow
>>>>
>>>> Phase: 4
>>>> Type: ROUTE-LOOKUP
>>>> Subtype: input
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> in 7.7.15.0 255.255.255.0 inside
>>>>
>>>> Phase: 5
>>>> Type: ACCESS-LIST
>>>> Subtype: log
>>>> Result: ALLOW
>>>> Config:
>>>> access-group DMZ in interface dmz
>>>> access-list DMZ extended permit icmp host 7.7.16.4 host 7.7.15.2
>>>> Additional Information:
>>>>
>>>> Phase: 6
>>>> Type: IP-OPTIONS
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>>
>>>> Phase: 7
>>>> Type: INSPECT
>>>> Subtype: np-inspect
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>>
>>>> Phase: 8
>>>> Type: NAT-EXEMPT
>>>> Subtype: rpf-check
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>>
>>>> Phase: 9
>>>> Type: NAT
>>>> Subtype: host-limits
>>>> Result: ALLOW
>>>> Config:
>>>> nat (dmz) 0 0.0.0.0 0.0.0.0
>>>> nat-control
>>>> match ip dmz any outside any
>>>> no translation group, implicit deny
>>>> policy_hits = 0
>>>> Additional Information:
>>>>
>>>> Phase: 10
>>>> Type: NAT
>>>> Subtype: rpf-check
>>>> Result: ALLOW
>>>> Config:
>>>> nat (inside) 0 0.0.0.0 0.0.0.0
>>>> nat-control
>>>> match ip inside any dmz any
>>>> no translation group, implicit deny
>>>> policy_hits = 1
>>>> Additional Information:
>>>>
>>>> Phase: 11
>>>> Type: FLOW-CREATION
>>>> Subtype:
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> New flow created with id 588, packet dispatched to next module
>>>>
>>>> Phase: 12
>>>> Type: ROUTE-LOOKUP
>>>> Subtype: output and adjacency
>>>> Result: ALLOW
>>>> Config:
>>>> Additional Information:
>>>> found next-hop 7.7.15.2 using egress ifc inside
>>>> adjacency Active
>>>> next-hop mac address c204.0d80.0000 hits 3420
>>>>
>>>> Result:
>>>> input-interface: dmz
>>>> input-status: up
>>>> input-line-status: up
>>>> output-interface: inside
>>>> output-status: up
>>>> output-line-status: up
>>>> Action: allow
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 08 2013 - 16:02:21 ART
This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART