https://community.cisco.com/t5/network-security/un-nat-question/m-p/2257194#M346136 <HTML><HEAD></HEAD><BODY><P>thank you!</P></BODY></HTML> Sun, 21 Jul 2013 13:41:59 GMT WStoffel1 2013-07-21T13:41:59Z https://community.cisco.com/t5/network-security/un-nat-question/m-p/2257192#M346134 <P>I know you'll probably need more but i havent seen an UNnat before.&nbsp; I made some changes to allow the two networks to talk on my asa.&nbsp; the result is it works.&nbsp; The Un-Nat in phase 3 three sort of threw me for a loop.&nbsp; I was hoping someone could just explain whats happening based on the below:</P><P></P><P>packet-tracer input exchange tcp 192.168.180.11 32000 192.168.139.6 25</P><P></P><P>Phase: 1</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P>Phase: 2</P><P>Type: FLOW-LOOKUP</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 3</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>static (lvbw,Exchange) 192.168.139.0 192.168.139.0 netmask 255.255.255.0</P><P>&nbsp; match ip lvbw 192.168.139.0 255.255.255.0 HostedExchange any</P><P>&nbsp;&nbsp;&nbsp; static translation to 192.168.139.0</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 29, untranslate_hits = 51</P><P>Additional Information:</P><P>NAT divert to egress interface lvbw</P><P>Untranslate 192.168.139.0/0 to 192.168.139.0/0 using netmask 255.255.255.0</P><P></P><P></P><P>Thanks!</P> Tue, 12 Mar 2019 02:14:30 GMT https://community.cisco.com/t5/network-security/un-nat-question/m-p/2257192#M346134 WStoffel1 2019-03-12T02:14:30Z https://community.cisco.com/t5/network-security/un-nat-question/m-p/2257193#M346135 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To my understanding UN-NAT Phase always happen when you have a translation configured for the destination IP address. You are essentially targeting an IP address that is a NAT IP address configured on the firewall.</P><P></P><P>So a <STRONG>"packet-tracer"</STRONG> command using a destination IP address used in a Static NAT for a server would produce the same type of output.</P><P></P><P>What you are doing above is basically Static Identity NAT. The network used in the command is translated into itself. The most typical use for this is usually to enable communication between different Cisco firewall interfaces.</P><P></P><P>Depending on setup you might actually see 2 different translations in the same <STRONG>"packet-tracer"</STRONG> output. This happens when you are doing NAT for both the source and the destination host of the <STRONG>"packet-tracer"</STRONG> command.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 19 Jul 2013 14:29:25 GMT https://community.cisco.com/t5/network-security/un-nat-question/m-p/2257193#M346135 Jouni Forss 2013-07-19T14:29:25Z https://community.cisco.com/t5/network-security/un-nat-question/m-p/2257194#M346136 <HTML><HEAD></HEAD><BODY><P>thank you!</P></BODY></HTML> Sun, 21 Jul 2013 13:41:59 GMT https://community.cisco.com/t5/network-security/un-nat-question/m-p/2257194#M346136 WStoffel1 2013-07-21T13:41:59Z