Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Reg packet tracer

Hi halijenn / pkampana / all

A sample output of packet tracer is as follows

Please let me know what is the exact meaning of the following type of NAT Outputs

Type: NAT
Subtype: host-limits


Type: NAT
Subtype: rpf-check

Phase: 7
Type: NAT    
Subtype:
Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
  match ip moon any aviod any
    dynamic translation to pool 1 (172.17.10.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x4cef4b8, priority=1, domain=nat, deny=false
        hits=2746, user_data=0x4cef448, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: NAT
Subtype: host-limits

Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
  match ip moon any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x4ceeda8, priority=1, domain=host, deny=false
        hits=9082, user_data=0x4ceeb98, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Phase: 9
Type: NAT
Subtype: rpf-check

Result: DROP
Config:
nat (aviod) 1 0.0.0.0 0.0.0.0
  match ip aviod any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 86, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4cf41a8, priority=1, domain=nat-reverse, deny=false
        hits=2746, user_data=0x4cf4008, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: moon
input-status: up
input-line-status: up
output-interface: aviod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

5 REPLIES
Cisco Employee

Re: Reg packet tracer

This is probably because your packets hit a rule inbound but the return traffic will hit another one.

Is it ASA 8.3?

Check the order of your nat statements and which ones you would hit for forward and backwards flow.

PK

New Member

Re: Reg packet tracer

hi

thanks for the response . please find attached the config containing the nat order .Also i need to know the meaning of host-limits over here as well as

rpf-check.The ASA Software version is 7.2(3)

Type: NAT
Subtype: host-limits


Type: NAT
Subtype: rpf-check

New Member

Re: Reg packet tracer

hi

please look into this and reply to my query

New Member

Re: Reg packet tracer

hi all

need urgent help on this , can anyone please explain my query

Cisco Employee

Re: Reg packet tracer

The poroblem I see is that moon and aviod are same security interface, but you are also doing nat 1 for everything from either interface and also have global 1 configured.

One thing you can try is to create an identity NAT to itself for traffic going from either interface.

static (moon,aviod) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

static ( aviod,moon) 172.17.10.0 172.17.10.0 255.255.255.0

then do clear xlate. and try again.

If there is still problems, you can think of changing the sequence numbers you are using for the nat and global for the moon and the aviod interface, so they are not doing dynamic nat when going between interface.

rpf is reverse path forwarding check

host limit is the number of host limit for nat

Regards,

353
Views
0
Helpful
5
Replies