ciscoasa# show nat outside inside ERROR: No matching NAT policy found ciscoasa# show nat inside outside match ip inside any outside any dynamic translation to pool 1 (192.168.1.138 [Interface PAT]) translate_hits = 88, untranslate_hits = 58 ciscoasa# packet-tracer input inside icmp 192.168.0.1 0 0 192.168.0.226 detail$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.226 255.255.255.255 outside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab988178, priority=500, domain=permit, deny=true hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.0.1, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ciscoasa# packet-tracer input inside icmp 192.168.0.226 0 0 192.168.0.1 detail$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.1 255.255.255.255 identity Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab9831e8, priority=120, domain=permit, deny=false hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9840a0, priority=0, domain=inspect-ip-options, deny=true hits=119, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9838b8, priority=66, domain=inspect-icmp, deny=false hits=1, user_data=0xab9837a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab983d38, priority=66, domain=inspect-icmp-error, deny=false hits=81, user_data=0xab983c20, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 1 (192.168.1.138 [Interface PAT]) translate_hits = 107, untranslate_hits = 75 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0baa8, priority=1, domain=host, deny=false hits=125, user_data=0xaba0b6b0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 328, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... Result: input-interface: inside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: allow ciscoasa# packet-tracer input inside icmp 192.168.0.86 0 0 192.168.0.1 detailed Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.1 255.255.255.255 identity Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab9831e8, priority=120, domain=permit, deny=false hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9840a0, priority=0, domain=inspect-ip-options, deny=true hits=123, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9838b8, priority=66, domain=inspect-icmp, deny=false hits=2, user_data=0xab9837a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab983d38, priority=66, domain=inspect-icmp-error, deny=false hits=85, user_data=0xab983c20, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 1 (192.168.1.138 [Interface PAT]) translate_hits = 110, untranslate_hits = 78 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0baa8, priority=1, domain=host, deny=false hits=129, user_data=0xaba0b6b0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 337, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... Result: input-interface: inside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: allow ciscoasa# packet-tracer input inside icmp 192.168.0.1 0 0 192.168.0.86 detailed Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 inside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab988178, priority=500, domain=permit, deny=true hits=4, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.0.1, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ciscoasa# packet-tracer input inside icmp 192.168.0.88 0 0 192.168.0.86 detail$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 any object-group protocol DM_INLINE_PROTOCOL_2 protocol-object icmp protocol-object icmp6 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0db18, priority=12, domain=permit, deny=false hits=85, user_data=0xa8b68d00, cs_id=0x0, flags=0x0, protocol=1 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9840a0, priority=0, domain=inspect-ip-options, deny=true hits=129, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab983d38, priority=66, domain=inspect-icmp-error, deny=false hits=88, user_data=0xab983c20, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT Subtype: Result: DROP Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 8, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0c108, priority=1, domain=nat, deny=false hits=8, user_data=0xaba0c048, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ciscoasa# packet-tracer input inside icmp 192.168.0.86 0 0 192.168.0.88 detail$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 any object-group protocol DM_INLINE_PROTOCOL_2 protocol-object icmp protocol-object icmp6 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0db18, priority=12, domain=permit, deny=false hits=86, user_data=0xa8b68d00, cs_id=0x0, flags=0x0, protocol=1 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9840a0, priority=0, domain=inspect-ip-options, deny=true hits=135, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab983d38, priority=66, domain=inspect-icmp-error, deny=false hits=89, user_data=0xab983c20, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT Subtype: Result: DROP Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 9, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0c108, priority=1, domain=nat, deny=false hits=9, user_data=0xaba0c048, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ciscoasa# packet-tracer input inside icmp 192.168.0.226 0 0 192.168.0.86 detai$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 any object-group protocol DM_INLINE_PROTOCOL_2 protocol-object icmp protocol-object icmp6 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0db18, priority=12, domain=permit, deny=false hits=88, user_data=0xa8b68d00, cs_id=0x0, flags=0x0, protocol=1 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9840a0, priority=0, domain=inspect-ip-options, deny=true hits=137, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab983d38, priority=66, domain=inspect-icmp-error, deny=false hits=91, user_data=0xab983c20, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT Subtype: Result: DROP Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 10, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0c108, priority=1, domain=nat, deny=false hits=10, user_data=0xaba0c048, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ciscoasa# packet-tracer input inside icmp 192.168.0.86 0 0 192.168.0.226 detai$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.226 255.255.255.255 outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 any object-group protocol DM_INLINE_PROTOCOL_2 protocol-object icmp protocol-object icmp6 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0db18, priority=12, domain=permit, deny=false hits=90, user_data=0xa8b68d00, cs_id=0x0, flags=0x0, protocol=1 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab9840a0, priority=0, domain=inspect-ip-options, deny=true hits=139, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab983d38, priority=66, domain=inspect-icmp-error, deny=false hits=93, user_data=0xab983c20, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT Subtype: Result: DROP Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 1 (192.168.1.138 [Interface PAT]) translate_hits = 120, untranslate_hits = 81 Additional Information: Forward Flow based lookup yields rule: in id=0xaba0b770, priority=1, domain=nat, deny=false hits=120, user_data=0xaba0b6b0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ciscoasa# ping outside 192.168.0.226 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.226, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/26/100 ms ciscoasa# ping inside 192.168.0.226 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.226, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) ciscoasa# ping outside 192.168.0.86 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.86, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) ciscoasa# ping inside 192.168.0.86 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.86, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ciscoasa# ping inside 192.168.0.226 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.226, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) ciscoasa# ping outside 192.168.0.226 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.226, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/28/120 ms