I have recently upgraded an ASA from version 7.0 to 7.2.2. After the upgrade a number of nat statements had been removed. This was related to icmp specific acl's in the nat acl's. After resolving this, the nat statements were re-added at the end of the nat list. The problem is that the ASA seems to match nat 3 rather than nat 2 (which is now at the end of the list) . I have added a deny to the access-list for the specific traffic for nat3 however the ASA still seems to be matching the acl for nat3.
I have used deny statements in nat acl's before and haven't had a problem however this doesn't appear to be working.
The acl's for the nat statements are below.
access-list nat0-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 188.8.131.52 255.255.255.0
access-list nat3-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 184.108.40.206 255.255.255.0
ess-list nat2-inside line 1 extended permit ip 172.18.0.0 255.255.0.0 220.127.116.11 255.255.255.0
Output for the packet-tracer is below.
nat (inside) 0 access-list nat0-inside
nat (inside) 3 access-list nat3-inside
match ip inside 172.18.0.0 255.255.0.0 outside 18.104.22.168 255.255.255.0
dynamic translation to pool 3 (No matching global)
translate_hits = 0, untranslate_hits = 0
Any assistance would be apprecitated!