cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
566
Views
0
Helpful
5
Replies

Reg packet tracer

ankurs2008
Level 1
Level 1

Hi halijenn / pkampana / all

A sample output of packet tracer is as follows

Please let me know what is the exact meaning of the following type of NAT Outputs

Type: NAT
Subtype: host-limits


Type: NAT
Subtype: rpf-check

Phase: 7
Type: NAT    
Subtype:
Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
  match ip moon any aviod any
    dynamic translation to pool 1 (172.17.10.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x4cef4b8, priority=1, domain=nat, deny=false
        hits=2746, user_data=0x4cef448, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: NAT
Subtype: host-limits

Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
  match ip moon any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x4ceeda8, priority=1, domain=host, deny=false
        hits=9082, user_data=0x4ceeb98, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Phase: 9
Type: NAT
Subtype: rpf-check

Result: DROP
Config:
nat (aviod) 1 0.0.0.0 0.0.0.0
  match ip aviod any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 86, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4cf41a8, priority=1, domain=nat-reverse, deny=false
        hits=2746, user_data=0x4cf4008, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: moon
input-status: up
input-line-status: up
output-interface: aviod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

This is probably because your packets hit a rule inbound but the return traffic will hit another one.

Is it ASA 8.3?

Check the order of your nat statements and which ones you would hit for forward and backwards flow.

PK

hi

thanks for the response . please find attached the config containing the nat order .Also i need to know the meaning of host-limits over here as well as

rpf-check.The ASA Software version is 7.2(3)

Type: NAT
Subtype: host-limits


Type: NAT
Subtype: rpf-check

hi

please look into this and reply to my query

hi all

need urgent help on this , can anyone please explain my query

The poroblem I see is that moon and aviod are same security interface, but you are also doing nat 1 for everything from either interface and also have global 1 configured.

One thing you can try is to create an identity NAT to itself for traffic going from either interface.

static (moon,aviod) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

static ( aviod,moon) 172.17.10.0 172.17.10.0 255.255.255.0

then do clear xlate. and try again.

If there is still problems, you can think of changing the sequence numbers you are using for the nat and global for the moon and the aviod interface, so they are not doing dynamic nat when going between interface.

rpf is reverse path forwarding check

host limit is the number of host limit for nat

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: