I have recently upgraded an ASA from version 7.0 to 7.2.2. After the upgrade a number of nat statements had been removed. This was related to icmp specific acl's in the nat acl's. After resolving this, the nat statements were re-added at the end of the nat list. The problem is that the ASA seems to match nat 3 rather than nat 2 (which is now at the end of the list) . I have added a deny to the access-list for the specific traffic for nat3 however the ASA still seems to be matching the acl for nat3.
I have used deny statements in nat acl's before and haven't had a problem however this doesn't appear to be working.
The acl's for the nat statements are below.
access-list nat0-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 126.96.36.199 255.255.255.0
access-list nat3-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 188.8.131.52 255.255.255.0
ess-list nat2-inside line 1 extended permit ip 172.18.0.0 255.255.0.0 184.108.40.206 255.255.255.0
Output for the packet-tracer is below.
nat (inside) 0 access-list nat0-inside
nat (inside) 3 access-list nat3-inside
match ip inside 172.18.0.0 255.255.0.0 outside 220.127.116.11 255.255.255.0
dynamic translation to pool 3 (No matching global)
Thanks for your replies. I do have a global for the nat 2, I just didn't post it. I only posted the config relevent to the subject.
The nat 2 statement comes after the nat 3 statement as it was removed from the config after the upgrade. I was just enquiring if anyone has had any problems using a deny in the acl's for the nat statements and if a deny in the acl's would ignore the specific traffic for NAT? BUt not to worry... I will simply remove the current NAT statements and put them back in the same order that they were prior to the upgrade.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :