06-08-2010 04:18 PM - edited 03-11-2019 10:56 AM
Hi halijenn / pkampana / all
A sample output of packet tracer is as follows
Please let me know what is the exact meaning of the following type of NAT Outputs
Type: NAT
Subtype: host-limits
Type: NAT
Subtype: rpf-check
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
match ip moon any aviod any
dynamic translation to pool 1 (172.17.10.2)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4cef4b8, priority=1, domain=nat, deny=false
hits=2746, user_data=0x4cef448, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
match ip moon any moon any
dynamic translation to pool 1 (10.0.0.2)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4ceeda8, priority=1, domain=host, deny=false
hits=9082, user_data=0x4ceeb98, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (aviod) 1 0.0.0.0 0.0.0.0
match ip aviod any moon any
dynamic translation to pool 1 (10.0.0.2)
translate_hits = 86, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4cf41a8, priority=1, domain=nat-reverse, deny=false
hits=2746, user_data=0x4cf4008, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: moon
input-status: up
input-line-status: up
output-interface: aviod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
06-08-2010 05:02 PM
This is probably because your packets hit a rule inbound but the return traffic will hit another one.
Is it ASA 8.3?
Check the order of your nat statements and which ones you would hit for forward and backwards flow.
PK
06-08-2010 05:57 PM
06-09-2010 04:14 PM
hi
please look into this and reply to my query
06-10-2010 03:12 PM
hi all
need urgent help on this , can anyone please explain my query
06-10-2010 03:59 PM
The poroblem I see is that moon and aviod are same security interface, but you are also doing nat 1 for everything from either interface and also have global 1 configured.
One thing you can try is to create an identity NAT to itself for traffic going from either interface.
static (moon,aviod) 10.0.0.0 10.0.0.0 netmask 255.255.0.0
static ( aviod,moon) 172.17.10.0 172.17.10.0 255.255.255.0
then do clear xlate. and try again.
If there is still problems, you can think of changing the sequence numbers you are using for the nat and global for the moon and the aviod interface, so they are not doing dynamic nat when going between interface.
rpf is reverse path forwarding check
host limit is the number of host limit for nat
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide