Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

untranslate_hits on PAT rule

Hello,

can someone pease explain when the untranslate_hits counts up on a PAT rule.

I use ASA 8.4 and found in some PAT rules untraslate_hits are not 0 as expected.

As PAT can only be build in one direction. How can i found a mapped to original hitcounter > 0?

Many thanks in advance

Stephan

8 REPLIES

untranslate_hits on PAT rule

Well if you do PAT when traffic goes to the outside... What would happen when the traffic from the internet comes back?

In order to send the traffic to the right port we check the Xlate table and Un-NAT the packet.

Do u follow me?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: untranslate_hits on PAT rule

Hello,

i dont think your right here.

way did i have normaly 0 or a few untranslated and 1000's translated hits on PAT rules.

I think the hitcounter is not triggered by a Packet.

It is triggered by a new (embrionic) connection which use a xlate entry build from this NAT-rule.

Correct me if im wrong.

best regards

Stephan

New Member

Re: untranslate_hits on PAT rule

I think i found the answer to myself, by testing in GNS3.

Hope im right here. For protocols like FTP the data-channel may be build from outside to inside if inspected on the ASA.

A new Translation (xlate) will be made for the data-channel which triggers the untranslated hit counter to increase.

Maybe someone from Cisco can agree here.

Many thanks in advance Stephan

Re: untranslate_hits on PAT rule

Stephan,

About what output are you talking about man?

Can you show us on detail what you are talking about.....

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal SeguraS

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: untranslate_hits on PAT rule

Hello,

#show nat

11 (inside) to (outside) source static obj-192.168.0.0_24 obj-x.x.x.x

    translate_hits = 1256, untranslate_hits = 5

// comment

// if you are CCIE/w and did not know, may your not the man i should talk with.

// I came here to get a fast approvel or deny to my reflections.

As you know hitcounter are no packetcounter!

You can test this with some outbound connections http/telnet/... only translate_hits will increase one per new request.

If you have a Portocol like FTP which opens a second channel.

the second channel may trigger the untranslated_hits counter to increase.

from my memory, as i'm not on my testing device now

>ftp to 8.8.8.8

logs show somthing like this

build outbound connection from 192.168.0.1 port 15242 to 8.8.8.8 port 21

build outbound translation 192.168.0.1 port 15242 to x.x.x.x 545454

#show nat

11 (inside) to (outside) source static obj-192.168.0.0_24 obj-x.x.x.x

translate_hits = 1, untranslate_hits = 0

 

>ftp enter username / password

build outbound connection from 192.168.0.1 port 15243 to 8.8.8.8 port 20

build outbound translation 192.168.0.1 port 15243 to x.x.x.x 45763

#show nat

11 (inside) to (outside) source static obj-192.168.0.0_24 obj-x.x.x.x

translate_hits = 1, untranslate_hits = 1

As you see the second connection/channel is still build as outbound.

But as we use ftp-inspection on the asa the port-definition was exchanged from outside to inside in the existing control-channel.

So i think the first entry in the connection database came from outside before the first syn-packet was send from inside.

best regards

Stephan Dietrich

Re: untranslate_hits on PAT rule

Hello Stephan,

What a better way for me to forget about your CCIE comment than probe you that you are missing the key information and I was right here....

So here is the answer for you (Make sure you mark the question as answered)

translate_hits = ?,  As I said before Used to tranlate our private IP address to the X public  IP address

untranslate_hits = ?  As I said, in order to translate the X public IP address to the Private IP address.

What you need to understand from this is that on the show NAT command you will see the translate hits counters increasing for outbound sessions.

And the untranslate_hits for inbound sessions.

Nothing related to inspections!!!!!

Just in case you want me to show this to u:

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static Jcarvaja Mapped_Outside service Telnet Telnet

Jcarvaja is 192.168.10.2

Let's telnet from Jcarvaja to an outside user 50.50.50.2

Guia-Networking# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static Jcarvaja Mapped_Outside   service Telnet Telnet

    translate_hits = 0, untranslate_hits = 0

R1#telnet 50.50.50.2

Trying 50.50.50.2 ... Open

User Access Verification

Password:

R2>

Let's see the outputs on the ASA

Guia-Networking# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic any interface

    translate_hits = 1, untranslate_hits = 0

2 (inside) to (outside) source static Jcarvaja Mapped_Outside   service Telnet Telnet

    translate_hits = 0, untranslate_hits = 0

Now, let's start the session from the outside router

R2#telnet 50.50.50.3

Trying 50.50.50.3 ... Open

User Access Verification

Password:

Password:

R1>

Guia-Networking# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic any interface

    translate_hits = 1, untranslate_hits = 0

2 (inside) to (outside) source static Jcarvaja Mapped_Outside   service Telnet Telnet

    translate_hits = 0, untranslate_hits = 1

That's it!!!!

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: untranslate_hits on PAT rule

Hello,

yes this is the normal behaviour for static NAT, but i was talking about dynamic PAT (hide) or for instance your dynamic NAT rule (1). With telnet you will never get a "untranslate_hits". As a new session can not be build from outside.

Thats way i came to the idea i got the counter in my rule from a protocoll like ftp / rpc / sip.

And so i tested it with ftp.

As you can see from my upper post the second (data-channel) is still a outbound session so it should increase the translate_hits counter but it has increased the untranslate_hits counter. so i came to the conclusion that the counter was triggered by the port exchange (part of the control-channel) and pinholing (made with the ftp-inspection of the control-channel).

can you aggree with that?

I came here to get more information about the pinholing process as i cant find any precise information on cisco side or internet.

Maybe any hint on how to troubleshoot the pinholing mapping and inspection process.

Stephan 

Re: untranslate_hits on PAT rule

Hello Stephan,

Is not related to inspections.

Is related to the fact that an inbound connection will be using a NAT statement so ofcourse if you have an FTP client machine sitting on the DMZ network trying to contact an FTP server on active mode ofcourse you will see the untranslate because the FTP ACTIVE server will generate the data channel to you with an Inbound connection.

So again, it's related to who innitiates the connection but I agree in the fact that with those protocols (with FTP depending on the mode) You will see it!

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
682
Views
8
Helpful
8
Replies
CreatePlease login to create content