Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

policy nat vs. statics

Hi there,

could u give me some advise for the following issue:

nat (dmz) 13 access-list nat-dmz

global (internet) 13 194.x.x.x

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any

--> a normal policy Nat statement

and I also have a static:

static (dmz,internet) 194.x.x.x

10.88.x.x netmask 255.255.255.255

I wonder why the hit counter of the acl is increasing:

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 any (hitcnt=278)

Why does the nat statement match??! I thougth statics match before policy nat. Can you explain that to me, please?

5 REPLIES
Cisco Employee

Re: policy nat vs. statics

you're absolutely correct,policy nat is below static in terms of order of operation

static (1st preference)

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

nat (2nd preference)

a) nat access-list (first match)

However in your case the static would only take effect if you go to interface "internet"

If your traffic is destined for any other interface (other than internet) then the access-list nat-dmz comes into play which says

access-list nat-dmz permit tcp host 10.88.x.x gt 1023 "any"

So you see a hit count for that traffic on this ACL

New Member

Re: policy nat vs. statics

Hi,

thank you for the fast answer! I agree with your opinion, but I have no other interface defined in any global statement regarding nat id 13...?

Cisco Employee

Re: policy nat vs. statics

from the internal host y.y.y.y ping 4.2.2.2 and get me the following :-

cl xlate loc y.y.y.y

ping 4.2.2.2 or yahoo.com and get me

sh xlate det | inc y.y.y.y

sh xlate loc y.y.y.y

I need to see to which IP address is this y.y.y.y getting xlated ?

the other thing..whats the code on Pix/ASA ?

New Member

Re: policy nat vs. statics

Hi abinjola,

unfortunately this server is in use .. when I enter "cl xlate loc y.y.y.y" all associated connections are killed?!

The current "show xlate local 10.88.x.x" shows

Global 194.x.x.x Local 10.88.x.x

Is this the xlate for the static? A similar nat configuration looks more like

PAT Global 194.x.x.x (51953) Local 10.88.x.x(63945)

Its a FWSM with 2.3.3.2 Software. Thanks for your help!!

Cisco Employee

Re: policy nat vs. statics

can you get a schedule downtime of 5 min. to run our tests ..?

change the public ip in static or in NAT ACL and initiate the traffic , collect the above output

could be a bug, can't say at this point unless I get the output

111
Views
0
Helpful
5
Replies