Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX NAT.....confused

We have a Pix 515 fw with an inside and outside interface that has the following static NAT:

static (inside,outside) 10.2.2.2 192.168.2.2 netmask 255.255.255.255

We also have a NAT acl that looks like:

nat (inside) 1 access-list outbound-nat

global (outside) 1 10.2.4.4

access-list outbound-nat permit ip host 192.168.2.2 host 209.240.x.x

The outbound-nat acl is showing "hits" on it, but I'm confused as to how its translating to the address in the global statement if that same source ip address 192.168.2.2 has a Static NAT defined? I thought static NAT overruled other NATs? Why would I be seeing hits on the NAT acl?

2 REPLIES

Re: PIX NAT.....confused

Hello Matt

If I recall correct, statics take place before policy NATs as you mention. I assume the hits you see are the traffic destined to 10.2.2.2 from outside, either on purpose or not

Regards

Cisco Employee

Re: PIX NAT.....confused

The rules are tried in order. 1) nat 0 access-list (nat-exempt) 2) match against existing xlates 3) static a) static nat with and without access-list (first match) b) static pat with and without access-list (first match) 4) nat a) nat access-list (first match) Note: nat 0 access-list is not part of this command. b) nat

(best match) Note: When choosing a global address from multiple pools with the same nat id, the following order is tried i) if the id is 0, create an identity xlate. ii) use the global pool for dynamic NAT iii) use the global pool for dynamic PAT 5) Error

I ASSUME HITS CAME " BEFORE " STATIC WAS ADDED.

WHAT SAY ?

REGARDS,

sushil

143
Views
0
Helpful
2
Replies
CreatePlease to create content