policy nat vs. statics

Unanswered Question
Mar 11th, 2008
User Badges:

Hi there,

could u give me some advise for the following issue:


nat (dmz) 13 access-list nat-dmz

global (internet) 13 194.x.x.x

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any


--> a normal policy Nat statement


and I also have a static:


static (dmz,internet) 194.x.x.x

10.88.x.x netmask 255.255.255.255


I wonder why the hit counter of the acl is increasing:


access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any (hitcnt=278)


Why does the nat statement match??! I thougth statics match before policy nat. Can you explain that to me, please?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Tue, 03/11/2008 - 02:46
User Badges:
  • Cisco Employee,

you're absolutely correct,policy nat is below static in terms of order of operation


static (1st preference)

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

nat (2nd preference)

a) nat access-list (first match)


However in your case the static would only take effect if you go to interface "internet"


If your traffic is destined for any other interface (other than internet) then the access-list nat-dmz comes into play which says


access-list nat-dmz permit tcp host 10.88.x.x gt 1023 "any"


So you see a hit count for that traffic on this ACL

gadpharns Tue, 03/11/2008 - 04:06
User Badges:

Hi,

thank you for the fast answer! I agree with your opinion, but I have no other interface defined in any global statement regarding nat id 13...?


abinjola Tue, 03/11/2008 - 08:56
User Badges:
  • Cisco Employee,

from the internal host y.y.y.y ping 4.2.2.2 and get me the following :-


cl xlate loc y.y.y.y


ping 4.2.2.2 or yahoo.com and get me


sh xlate det | inc y.y.y.y


sh xlate loc y.y.y.y


I need to see to which IP address is this y.y.y.y getting xlated ?


the other thing..whats the code on Pix/ASA ?

gadpharns Tue, 03/11/2008 - 13:14
User Badges:

Hi abinjola,

unfortunately this server is in use .. when I enter "cl xlate loc y.y.y.y" all associated connections are killed?!

The current "show xlate local 10.88.x.x" shows


Global 194.x.x.x Local 10.88.x.x


Is this the xlate for the static? A similar nat configuration looks more like


PAT Global 194.x.x.x (51953) Local 10.88.x.x(63945)


Its a FWSM with 2.3.3.2 Software. Thanks for your help!!



abinjola Wed, 03/12/2008 - 02:00
User Badges:
  • Cisco Employee,

can you get a schedule downtime of 5 min. to run our tests ..?


change the public ip in static or in NAT ACL and initiate the traffic , collect the above output

could be a bug, can't say at this point unless I get the output

Actions

This Discussion