policy nat vs. statics

Unanswered Question
Mar 11th, 2008
User Badges:

Hi there,

could u give me some advise for the following issue:

nat (dmz) 13 access-list nat-dmz

global (internet) 13 194.x.x.x

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any

--> a normal policy Nat statement

and I also have a static:

static (dmz,internet) 194.x.x.x

10.88.x.x netmask

I wonder why the hit counter of the acl is increasing:

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any (hitcnt=278)

Why does the nat statement match??! I thougth statics match before policy nat. Can you explain that to me, please?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abinjola Tue, 03/11/2008 - 02:46
User Badges:
  • Cisco Employee,

you're absolutely correct,policy nat is below static in terms of order of operation

static (1st preference)

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

nat (2nd preference)

a) nat access-list (first match)

However in your case the static would only take effect if you go to interface "internet"

If your traffic is destined for any other interface (other than internet) then the access-list nat-dmz comes into play which says

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 "any"

So you see a hit count for that traffic on this ACL

gadpharns Tue, 03/11/2008 - 04:06
User Badges:


thank you for the fast answer! I agree with your opinion, but I have no other interface defined in any global statement regarding nat id 13...?

abinjola Tue, 03/11/2008 - 08:56
User Badges:
  • Cisco Employee,

from the internal host y.y.y.y ping and get me the following :-

cl xlate loc y.y.y.y

ping or yahoo.com and get me

sh xlate det | inc y.y.y.y

sh xlate loc y.y.y.y

I need to see to which IP address is this y.y.y.y getting xlated ?

the other thing..whats the code on Pix/ASA ?

gadpharns Tue, 03/11/2008 - 13:14
User Badges:

Hi abinjola,

unfortunately this server is in use .. when I enter "cl xlate loc y.y.y.y" all associated connections are killed?!

The current "show xlate local 10.88.x.x" shows

Global 194.x.x.x Local 10.88.x.x

Is this the xlate for the static? A similar nat configuration looks more like

PAT Global 194.x.x.x (51953) Local 10.88.x.x(63945)

Its a FWSM with Software. Thanks for your help!!

abinjola Wed, 03/12/2008 - 02:00
User Badges:
  • Cisco Employee,

can you get a schedule downtime of 5 min. to run our tests ..?

change the public ip in static or in NAT ACL and initiate the traffic , collect the above output

could be a bug, can't say at this point unless I get the output


This Discussion