https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523954#M1086051 <PRE>Manual NAT Policies (Section 1) 1 (dmz) to (outside) source static transfer-net transfer-net destination static Server-Net Server-Net no-proxy-arp route-lookup translate_hits = 39127, untranslate_hits = 39127 Source - Origin: 192.168.113.0/24, Translated: 192.168.113.0/24 Destination - Origin: 10.11.120.0/22, Translated: 10.11.120.0/22 2 (dmz) to (outside) source static transfer-net transfer-net destination static admin-net admin-net no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 Source - Origin: 192.168.113.0/24, Translated: 192.168.113.0/24 Destination - Origin: 10.11.150.0/24, Translated: 10.11.150.0/24 3 (inside) to (outside) source static inside-net inside-net destination static Server-Net Server-Net no-proxy-arp route-lookup translate_hits = 164919, untranslate_hits = 261328 Source - Origin: 192.168.13.0/24, Translated: 192.168.13.0/24 Destination - Origin: 10.11.120.0/22, Translated: 10.11.120.0/22 4 (inside) to (outside) source static inside-net inside-net destination static admin-net admin-net no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 Source - Origin: 192.168.13.0/24, Translated: 192.168.13.0/24 Destination - Origin: 10.11.150.0/24, Translated: 10.11.150.0/24 5 (inside) to (outside) source static inside-net inside-net destination static TK-Net TK-Net no-proxy-arp route-lookup translate_hits = 1, untranslate_hits = 2 Source - Origin: 192.168.13.0/24, Translated: 192.168.13.0/24 Destination - Origin: 10.11.102.0/24, Translated: 10.11.102.0/24 Auto NAT Policies (Section 2) 1 (inside) to (outside) source dynamic tk01 interface translate_hits = 1243, untranslate_hits = 48 Source - Origin: 192.168.13.10/32, Translated: 87.139.216.XXX/32 2 (dmz) to (outside) source dynamic sunny-box interface translate_hits = 336, untranslate_hits = 0 Source - Origin: 192.168.113.20/32, Translated: 87.139.216.XXX/32 3 (dmz) to (outside) source dynamic protone-nat interface translate_hits = 2, untranslate_hits = 0 Source - Origin: 192.168.113.21/32, Translated: 87.139.216.XXX/32 4 (inside) to (outside) source dynamic Telefone interface translate_hits = 1273, untranslate_hits = 47 Source - Origin: 192.168.13.150-192.168.13.170, Translated: 87.139.216.XXX/32 5 (Hotspot) to (outside) source dynamic hotspot interface translate_hits = 3799, untranslate_hits = 31 Source - Origin: 10.11.50.0/24, Translated: 87.139.216.XXX/32</PRE><P>&nbsp;I tested with source ip 192.168.113.7.</P><P>&nbsp;</P><P>I manually migrated this config from an ASA 5505. I removed the brigde interface config.</P> Mon, 27 Dec 2021 10:12:27 GMT kroerig 2021-12-27T10:12:27Z https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523949#M1086049 <P>Hello,</P><P>&nbsp;</P><P>are there any hidden (default) NAT rules on an ASA 5506-X with software 9.14?</P><P>I didn't configure any NAT rules but any device on the inside net can access the outside network.</P><P>&nbsp;</P><P>packet trace says:</P><PRE>Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f870f22e200, priority=1, domain=permit, deny=false hits=1654056, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside, output_ifc=any Phase: 2 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: Found next-hop 62.156.244.XXX using egress ifc outside Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f870de469c0, priority=0, domain=nat-per-session, deny=false hits=266366, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f870f235880, priority=0, domain=inspect-ip-options, deny=true hits=38871, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f870de469c0, priority=0, domain=nat-per-session, deny=false hits=266368, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f870f131390, priority=0, domain=inspect-ip-options, deny=true hits=332920, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 246500, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Phase: 8 Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP Subtype: Resolve Preferred Egress interface Result: ALLOW Config: Additional Information: Found next-hop 62.156.244.XXX using egress ifc outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow</PRE><P>But&nbsp; there is no NAT rule for the inside network, so why does NAT happen?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Klaus</P> Mon, 27 Dec 2021 11:57:06 GMT https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523949#M1086049 kroerig 2021-12-27T11:57:06Z https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523952#M1086050 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/541771">@kroerig</a> is this a fresh install of ASA software and did you run through the wizard to complete the setup?</P> <P>Can you provide the output of "show nat detail".</P> Mon, 27 Dec 2021 09:57:20 GMT https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523952#M1086050 Rob Ingram 2021-12-27T09:57:20Z https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523954#M1086051 <PRE>Manual NAT Policies (Section 1) 1 (dmz) to (outside) source static transfer-net transfer-net destination static Server-Net Server-Net no-proxy-arp route-lookup translate_hits = 39127, untranslate_hits = 39127 Source - Origin: 192.168.113.0/24, Translated: 192.168.113.0/24 Destination - Origin: 10.11.120.0/22, Translated: 10.11.120.0/22 2 (dmz) to (outside) source static transfer-net transfer-net destination static admin-net admin-net no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 Source - Origin: 192.168.113.0/24, Translated: 192.168.113.0/24 Destination - Origin: 10.11.150.0/24, Translated: 10.11.150.0/24 3 (inside) to (outside) source static inside-net inside-net destination static Server-Net Server-Net no-proxy-arp route-lookup translate_hits = 164919, untranslate_hits = 261328 Source - Origin: 192.168.13.0/24, Translated: 192.168.13.0/24 Destination - Origin: 10.11.120.0/22, Translated: 10.11.120.0/22 4 (inside) to (outside) source static inside-net inside-net destination static admin-net admin-net no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 Source - Origin: 192.168.13.0/24, Translated: 192.168.13.0/24 Destination - Origin: 10.11.150.0/24, Translated: 10.11.150.0/24 5 (inside) to (outside) source static inside-net inside-net destination static TK-Net TK-Net no-proxy-arp route-lookup translate_hits = 1, untranslate_hits = 2 Source - Origin: 192.168.13.0/24, Translated: 192.168.13.0/24 Destination - Origin: 10.11.102.0/24, Translated: 10.11.102.0/24 Auto NAT Policies (Section 2) 1 (inside) to (outside) source dynamic tk01 interface translate_hits = 1243, untranslate_hits = 48 Source - Origin: 192.168.13.10/32, Translated: 87.139.216.XXX/32 2 (dmz) to (outside) source dynamic sunny-box interface translate_hits = 336, untranslate_hits = 0 Source - Origin: 192.168.113.20/32, Translated: 87.139.216.XXX/32 3 (dmz) to (outside) source dynamic protone-nat interface translate_hits = 2, untranslate_hits = 0 Source - Origin: 192.168.113.21/32, Translated: 87.139.216.XXX/32 4 (inside) to (outside) source dynamic Telefone interface translate_hits = 1273, untranslate_hits = 47 Source - Origin: 192.168.13.150-192.168.13.170, Translated: 87.139.216.XXX/32 5 (Hotspot) to (outside) source dynamic hotspot interface translate_hits = 3799, untranslate_hits = 31 Source - Origin: 10.11.50.0/24, Translated: 87.139.216.XXX/32</PRE><P>&nbsp;I tested with source ip 192.168.113.7.</P><P>&nbsp;</P><P>I manually migrated this config from an ASA 5505. I removed the brigde interface config.</P> Mon, 27 Dec 2021 10:12:27 GMT https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523954#M1086051 kroerig 2021-12-27T10:12:27Z https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523990#M1086052 <P>OK. My mistake. Everything' fine. Packet-trace is of course right. The packet is allowed to exit the outside interface, there's no NAT.</P> Mon, 27 Dec 2021 11:56:41 GMT https://community.cisco.com/t5/network-security/solved-hidden-default-nat-rule/m-p/4523990#M1086052 kroerig 2021-12-27T11:56:41Z