cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
0
Helpful
5
Replies

policy nat vs. statics

gadpharns
Level 1
Level 1

Hi there,

could u give me some advise for the following issue:

nat (dmz) 13 access-list nat-dmz

global (internet) 13 194.x.x.x

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any

--> a normal policy Nat statement

and I also have a static:

static (dmz,internet) 194.x.x.x

10.88.x.x netmask 255.255.255.255

I wonder why the hit counter of the acl is increasing:

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any (hitcnt=278)

Why does the nat statement match??! I thougth statics match before policy nat. Can you explain that to me, please?

5 Replies 5

abinjola
Cisco Employee
Cisco Employee

you're absolutely correct,policy nat is below static in terms of order of operation

static (1st preference)

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

nat (2nd preference)

a) nat access-list (first match)

However in your case the static would only take effect if you go to interface "internet"

If your traffic is destined for any other interface (other than internet) then the access-list nat-dmz comes into play which says

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 "any"

So you see a hit count for that traffic on this ACL

Hi,

thank you for the fast answer! I agree with your opinion, but I have no other interface defined in any global statement regarding nat id 13...?

from the internal host y.y.y.y ping 4.2.2.2 and get me the following :-

cl xlate loc y.y.y.y

ping 4.2.2.2 or yahoo.com and get me

sh xlate det | inc y.y.y.y

sh xlate loc y.y.y.y

I need to see to which IP address is this y.y.y.y getting xlated ?

the other thing..whats the code on Pix/ASA ?

Hi abinjola,

unfortunately this server is in use .. when I enter "cl xlate loc y.y.y.y" all associated connections are killed?!

The current "show xlate local 10.88.x.x" shows

Global 194.x.x.x Local 10.88.x.x

Is this the xlate for the static? A similar nat configuration looks more like

PAT Global 194.x.x.x (51953) Local 10.88.x.x(63945)

Its a FWSM with 2.3.3.2 Software. Thanks for your help!!

can you get a schedule downtime of 5 min. to run our tests ..?

change the public ip in static or in NAT ACL and initiate the traffic , collect the above output

could be a bug, can't say at this point unless I get the output

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: