I did some policy NAT'ng on the outside interface of our Internet facing firewall and it broke some other NAT'ng and I'm not sure why. I had the following config put in place
access-list policy_nat permit tcp any host 22.214.171.124 eq ssl
nat(outside) 2 access-list policy_nat
global (dmz) 2 10.1.1.1
Once the config was in place, the policy nat'g was working for the particular address stated in the policy_nat acl, but other pre-existing statics between the 12.x.x.x outside interface and other servers in the dmz stopped working. When I looked on our syslog server it was saying no translation group found for these addresses.
I then went back into my policy_nat acl and added a second line "access-list policy_nat deny ip any any".
Now everything works, so I see what the issue was, my question is more why did I have to put a deny ip any any at the bottom of my policy nat acl? I would have thought it was like any other access list and implicitly denied but obviously not. Can anyone elaborate on why it does not implicitly deny everything you are not permitting?