Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

UN-NAT question

I know you'll probably need more but i havent seen an UNnat before.  I made some changes to allow the two networks to talk on my asa.  the result is it works.  The Un-Nat in phase 3 three sort of threw me for a loop.  I was hoping someone could just explain whats happening based on the below:

packet-tracer input exchange tcp 192.168.180.11 32000 192.168.139.6 25

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (lvbw,Exchange) 192.168.139.0 192.168.139.0 netmask 255.255.255.0

  match ip lvbw 192.168.139.0 255.255.255.0 HostedExchange any

    static translation to 192.168.139.0

    translate_hits = 29, untranslate_hits = 51

Additional Information:

NAT divert to egress interface lvbw

Untranslate 192.168.139.0/0 to 192.168.139.0/0 using netmask 255.255.255.0

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: UN-NAT question

Hi,

To my understanding UN-NAT Phase always happen when you have a translation configured for the destination IP address. You are essentially targeting an IP address that is a NAT IP address configured on the firewall.

So a "packet-tracer" command using a destination IP address used in a Static NAT for a server would produce the same type of output.

What you are doing above is basically Static Identity NAT. The network used in the command is translated into itself. The most typical use for this is usually to enable communication between different Cisco firewall interfaces.

Depending on setup you might actually see 2 different translations in the same "packet-tracer" output. This happens when you are doing NAT for both the source and the destination host of the "packet-tracer" command.

- Jouni

2 REPLIES
Super Bronze

Re: UN-NAT question

Hi,

To my understanding UN-NAT Phase always happen when you have a translation configured for the destination IP address. You are essentially targeting an IP address that is a NAT IP address configured on the firewall.

So a "packet-tracer" command using a destination IP address used in a Static NAT for a server would produce the same type of output.

What you are doing above is basically Static Identity NAT. The network used in the command is translated into itself. The most typical use for this is usually to enable communication between different Cisco firewall interfaces.

Depending on setup you might actually see 2 different translations in the same "packet-tracer" output. This happens when you are doing NAT for both the source and the destination host of the "packet-tracer" command.

- Jouni

New Member

UN-NAT question

thank you!

182
Views
0
Helpful
2
Replies
CreatePlease to create content