03-11-2008 01:35 AM - edited 03-11-2019 05:15 AM
Hi there,
could u give me some advise for the following issue:
nat (dmz) 13 access-list nat-dmz
global (internet) 13 194.x.x.x
access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any
--> a normal policy Nat statement
and I also have a static:
static (dmz,internet) 194.x.x.x
10.88.x.x netmask 255.255.255.255
I wonder why the hit counter of the acl is increasing:
access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any (hitcnt=278)
Why does the nat statement match??! I thougth statics match before policy nat. Can you explain that to me, please?
03-11-2008 02:46 AM
you're absolutely correct,policy nat is below static in terms of order of operation
static (1st preference)
a) static nat with and without access-list (first match)
b) static pat with and without access-list (first match)
nat (2nd preference)
a) nat
However in your case the static would only take effect if you go to interface "internet"
If your traffic is destined for any other interface (other than internet) then the access-list nat-dmz comes into play which says
access-list nat-dmz permit tcp host 10.88.x.x gt 1023 "any"
So you see a hit count for that traffic on this ACL
03-11-2008 04:06 AM
Hi,
thank you for the fast answer! I agree with your opinion, but I have no other interface defined in any global statement regarding nat id 13...?
03-11-2008 08:56 AM
from the internal host y.y.y.y ping 4.2.2.2 and get me the following :-
cl xlate loc y.y.y.y
ping 4.2.2.2 or yahoo.com and get me
sh xlate det | inc y.y.y.y
sh xlate loc y.y.y.y
I need to see to which IP address is this y.y.y.y getting xlated ?
the other thing..whats the code on Pix/ASA ?
03-11-2008 01:14 PM
Hi abinjola,
unfortunately this server is in use .. when I enter "cl xlate loc y.y.y.y" all associated connections are killed?!
The current "show xlate local 10.88.x.x" shows
Global 194.x.x.x Local 10.88.x.x
Is this the xlate for the static? A similar nat configuration looks more like
PAT Global 194.x.x.x (51953) Local 10.88.x.x(63945)
Its a FWSM with 2.3.3.2 Software. Thanks for your help!!
03-12-2008 02:00 AM
can you get a schedule downtime of 5 min. to run our tests ..?
change the public ip in static or in NAT ACL and initiate the traffic , collect the above output
could be a bug, can't say at this point unless I get the output
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: