Reg packet tracer

Unanswered Question
Jun 8th, 2010
User Badges:

Hi halijenn / pkampana / all


A sample output of packet tracer is as follows


Please let me know what is the exact meaning of the following type of NAT Outputs


Type: NAT
Subtype: host-limits


Type: NAT
Subtype: rpf-check



Phase: 7
Type: NAT    
Subtype:
Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
  match ip moon any aviod any
    dynamic translation to pool 1 (172.17.10.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x4cef4b8, priority=1, domain=nat, deny=false
        hits=2746, user_data=0x4cef448, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Phase: 8
Type: NAT
Subtype: host-limits

Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
  match ip moon any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x4ceeda8, priority=1, domain=host, deny=false
        hits=9082, user_data=0x4ceeb98, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0



Phase: 9
Type: NAT
Subtype: rpf-check

Result: DROP
Config:
nat (aviod) 1 0.0.0.0 0.0.0.0
  match ip aviod any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 86, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4cf41a8, priority=1, domain=nat-reverse, deny=false
        hits=2746, user_data=0x4cf4008, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:
input-interface: moon
input-status: up
input-line-status: up
output-interface: aviod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Tue, 06/08/2010 - 17:02
User Badges:
  • Cisco Employee,

This is probably because your packets hit a rule inbound but the return traffic will hit another one.

Is it ASA 8.3?

Check the order of your nat statements and which ones you would hit for forward and backwards flow.

PK

ankurs2008 Tue, 06/08/2010 - 17:57
User Badges:

hi


thanks for the response . please find attached the config containing the nat order .Also i need to know the meaning of host-limits over here as well as

rpf-check.The ASA Software version is 7.2(3)


Type: NAT
Subtype: host-limits


Type: NAT
Subtype: rpf-check

Attachment: 
ankurs2008 Thu, 06/10/2010 - 15:12
User Badges:

hi all


need urgent help on this , can anyone please explain my query

edadios Thu, 06/10/2010 - 15:59
User Badges:
  • Silver, 250 points or more

The poroblem I see is that moon and aviod are same security interface, but you are also doing nat 1 for everything from either interface and also have global 1 configured.


One thing you can try is to create an identity NAT to itself for traffic going from either interface.


static (moon,aviod) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

static ( aviod,moon) 172.17.10.0 172.17.10.0 255.255.255.0


then do clear xlate. and try again.


If there is still problems, you can think of changing the sequence numbers you are using for the nat and global for the moon and the aviod interface, so they are not doing dynamic nat when going between interface.



rpf is reverse path forwarding check


host limit is the number of host limit for nat


Regards,

Actions

This Discussion