Sanity check on ASA NAT processing??
JayrodEF
Member Posts: 111 ■□□□□□□□□□
Hello,
I'm working on a L2L VPN connection that isn't working, pretty sure it's on the remote end, but I wanted to see if I could get a sanity check on the packet trace. It has 3 phases (7,8 and 9) that are of Type NAT and I've got old configuration in there so I'm not sure if it's working as intended. I believe that it first processes the nat 0 and that is the NAT it goes with (So it doesn't NAT at all).
Traffic is from 10.0.0.1 to 172.30.0.19
This is the NAT I believe it's hitting:
nat (VPN-DMZ) 0 access-list no-nat
access-list no-nat extended permit ip any host 172.30.0.19
But I also have this:
access-list my-nat extended permit ip 10.0.0.0 255.0.0.0 172.30.0.16 255.255.255.248
nat (VPN-DMZ) 2 access-list my-nat
global (Outside) 2 1.2.3.4 netmask 255.255.255.255
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip VPN-DMZ any Outside host 172.30.0.19
NAT exempt
translate_hits = 155455, untranslate_hits = 1171
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VPN-DMZ) 2 access-list my-nat
match ip VPN-DMZ 10.0.0.0 255.0.0.0 Outside 172.30.0.16 255.255.255.248
dynamic translation to pool 2 (1.2.3.4)
translate_hits = 1007, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (VPN-DMZ) 2 access-list my-nat
match ip VPN-DMZ 10.0.0.0 255.0.0.0 Zone4 172.30.0.16 255.255.255.248
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
So, if it is indeed nat-exempt, why does it do the Phase 8 and confuse me?
Pretty sure from looking at the hits in the ACL that it processes the NAT statements in order so it's hitting the 0 first and not really doing anything with the NAT 2.
Thanks!
I'm working on a L2L VPN connection that isn't working, pretty sure it's on the remote end, but I wanted to see if I could get a sanity check on the packet trace. It has 3 phases (7,8 and 9) that are of Type NAT and I've got old configuration in there so I'm not sure if it's working as intended. I believe that it first processes the nat 0 and that is the NAT it goes with (So it doesn't NAT at all).
Traffic is from 10.0.0.1 to 172.30.0.19
This is the NAT I believe it's hitting:
nat (VPN-DMZ) 0 access-list no-nat
access-list no-nat extended permit ip any host 172.30.0.19
But I also have this:
access-list my-nat extended permit ip 10.0.0.0 255.0.0.0 172.30.0.16 255.255.255.248
nat (VPN-DMZ) 2 access-list my-nat
global (Outside) 2 1.2.3.4 netmask 255.255.255.255
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip VPN-DMZ any Outside host 172.30.0.19
NAT exempt
translate_hits = 155455, untranslate_hits = 1171
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VPN-DMZ) 2 access-list my-nat
match ip VPN-DMZ 10.0.0.0 255.0.0.0 Outside 172.30.0.16 255.255.255.248
dynamic translation to pool 2 (1.2.3.4)
translate_hits = 1007, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (VPN-DMZ) 2 access-list my-nat
match ip VPN-DMZ 10.0.0.0 255.0.0.0 Zone4 172.30.0.16 255.255.255.248
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
So, if it is indeed nat-exempt, why does it do the Phase 8 and confuse me?
Pretty sure from looking at the hits in the ACL that it processes the NAT statements in order so it's hitting the 0 first and not really doing anything with the NAT 2.
Thanks!
Comments
-
d4nz1g
Member Posts: 464
Do you need to NAT the traffic?
If so, configure a static NAT rule, since Static NAT has certain priority over dynamic NAT.