5510, static NAT translation

w951duu · ‎02-12-2010

I have a 5510 with dynamic NAT and serveral static translation. The dynamic NAT is working fine, but for some reason I only see untranslate hits from the Static NAT translation and no translate:

   match ip inside host 192.168.24.65 outside any
    static translation to 72.233.68.6
    translate_hits = 0, untranslate_hits = 899
match ip inside host 192.168.24.20 outside any
    static translation to 72.233.68.10
    translate_hits = 0, untranslate_hits = 572
match ip inside any outside any
    dynamic translation to pool 1 (72.233.68.2 [Interface PAT])
    translate_hits = 7035, untranslate_hits = 58

My nat configuration is as follows:

nat (DMZ) 0 access-list no-nat
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 72.233.68.5 192.168.24.5 netmask 255.255.255.255 dns
static (inside,outside) 72.233.68.6 192.168.24.65 netmask 255.255.255.255 dns
static (inside,outside) 72.233.68.10 192.168.24.20 netmask 255.255.255.255

access-list no-nat extended permit ip 192.168.24.0 255.255.255.0 10.1.24.0 255.255.255.0

Any ideas what dcould be causing this? Client cant get thru to there servers.

Federico Coto Fajardo · ‎02-12-2010

Hi,

Keep in mind that policy NAT has priority over static NAT, therefore if you have an ACL applied to a dynamic NAT statement, it will have precedence over static NATs.

Check the XLATE table and see if the servers are getting hit in the acl nonat before looking at the static.

This would explain the untranslated behavior.

Federico.