10-21-2008 08:48 AM - edited 03-11-2019 07:00 AM
We have a Pix 515 fw with an inside and outside interface that has the following static NAT:
static (inside,outside) 10.2.2.2 192.168.2.2 netmask 255.255.255.255
We also have a NAT acl that looks like:
nat (inside) 1 access-list outbound-nat
global (outside) 1 10.2.4.4
access-list outbound-nat permit ip host 192.168.2.2 host 209.240.x.x
The outbound-nat acl is showing "hits" on it, but I'm confused as to how its translating to the address in the global statement if that same source ip address 192.168.2.2 has a Static NAT defined? I thought static NAT overruled other NATs? Why would I be seeing hits on the NAT acl?
10-21-2008 10:50 AM
Hello Matt
If I recall correct, statics take place before policy NATs as you mention. I assume the hits you see are the traffic destined to 10.2.2.2 from outside, either on purpose or not
Regards
10-21-2008 04:11 PM
The rules are tried in order. 1) nat 0 access-list (nat-exempt) 2) match against existing xlates 3) static a) static nat with and without access-list (first match) b) static pat with and without access-list (first match) 4) nat a) nat
I ASSUME HITS CAME " BEFORE " STATIC WAS ADDED.
WHAT SAY ?
REGARDS,
sushil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide