Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 9.1.2 packet tracer

Unanswered Question
Feb 17th, 2014
User Badges:


I'm working on ASA migration from 8.2.5 to 9.1.2. When I try packet trace for static nat testing purpose from ASDM the destination address is not populated by nat ip but the real one. That happen only on a specific interface which is full of nat (and where I also have some "identity nat"). Can someone tell me why ? is it a normal behaviour ?

Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jouni Forss Mon, 02/17/2014 - 10:04
User Badges:
  • Super Bronze, 10000 points or more


I am not really sure what you mean.

Can you perhaps use the "packet-tracer" through the CLI and show what happens. Naturally you can also share a screencapture from the ASDMs packet tracer if you dont use CLI at all

- Jouni

Julio Carvajal Mon, 02/17/2014 - 11:45
User Badges:
  • Purple, 4500 points or more

Not entirely sure about what you are talking about but just in case.

Remember that the behavior on ASA firewall changes dramatically from ASA 8.2 and lower against 8.3. and higher.

-In 8.2 and before the ASA firewall perform the ACL check and then the NAT rule (This is why you pointed to public Addresses on ACL)

-In 8.3 and higher the ASA performs NAT rules first and then ACL check (This is why u now point to private IP address in ACL)

This does not mean that if running packet-tracer u must use the private IP address if comming for the internet. So make sure u still use the public IP address of the server u are trying to acces.

Hope that I could help!

Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.


Julio Carvajal Segura

giuseppe parlato Tue, 02/18/2014 - 03:04
User Badges:

Thanks for your reply Jouni. Packet-tracer through the CLI is ok, of course also packet-tracer through ASDM is ok if I insert nat ip on destination ip field. The issue is precisely that from an access rule (which involves nat) by clicking on packet tracer the destination ip should'nt be filled with the real ip (as it is on the access rule) but the nat ip.


This Discussion