https://community.cisco.com/t5/network-security/regarding-asa/m-p/2795850#M415638 <P>Hi Akash,&nbsp;</P> <P></P> <P>Looks like you have a bunch of NATs configured that &nbsp;might be overlapping this entry and casuing that error. Try adding the "route-lookup" keyword at the end of the NAts that contain the same subnet or have the "any" statement.&nbsp;</P> <P></P> <P>Hope it helps</P> <P>-Randy-</P> Sat, 05 Dec 2015 00:45:41 GMT rvarelac 2015-12-05T00:45:41Z https://community.cisco.com/t5/network-security/regarding-asa/m-p/2795849#M415637 <P>I am having a issue to undertand the NATTING in ASA, below is the issue which i am having as of now.</P> <P></P> <P></P> <P></P> <P>getting drop:- can you please go through it and let me know what can be the issue</P> <P></P> <P>packet-tracer input outside tcp 166.77.235.144 2020 166.77.174.123 123<BR /><BR />Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 166.77.35.2 using egress ifc&nbsp; inside<BR /><BR />Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group acl-outside in interface outside<BR />access-list acl-outside extended permit ip host 166.77.235.144 host 166.77.174.123<BR />Additional Information:<BR /><BR />Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 5<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 6<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 7<BR />Type: CONN-SETTINGS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />class-map RT881625<BR />&nbsp;match access-list rt881625-conns-acl<BR />policy-map RT881625-conns<BR />&nbsp;class RT881625<BR />&nbsp; set connection conn-max 0 embryonic-conn-max 0 random-sequence-number enable<BR />service-policy RT881625-conns interface inside<BR />Additional Information:<BR /><BR />Phase: 8<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Config:<BR />object network natobj-166.77.0.0-16<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />Additional Information:<BR /><BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P></P> <P></P> <P>====================</P> <P>nat (inside,outside) source dynamic natobj-via-axciom natobj-axciom-natpool destination static natobj-axiom-nets natobj-axiom-nets<BR />nat (dmz-dot12,outside) source static natobj-src-166.77.12.0-22 natobj-src-166.77.12.0-22 destination static natobj-dst-a2m natobj-dst-a2m<BR />nat (dmz-dot12,outside) source dynamic natobj-src-166.77.12.0-22 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting<BR />nat (dmz-dot9,outside) source dynamic natobj-src-166.77.9.0-24 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting<BR />nat (outside,outside) source dynamic natobj-vpn-pool-uturn pat-pool natobj-default-natpool destination static natobj-dst-nets-uturn natobj-dst-nets-uturn<BR />nat (outside,outside) source static servicenow-natobj-src-nets-uturn servicenow-natobj-src-nets-uturn destination static servicenow-natobj-dst-nets-uturn servicenow-natobj-dst-nets-uturn<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static wordpress-129.228.35.64 wordpress-129.228.35.64<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.0.0 129.228.0.0<BR />nat (inside,outside) source static any any destination static redspace-172.18.0.80 redspace-172.18.0.80<BR />nat (inside,outside) source dynamic natobj-src-oneoffs pat-pool natobj-global-oneoffs<BR />nat (inside,outside) source dynamic any pat-pool natobj-global-oneoffs destination static natobj-dst-oneoffs natobj-dst-oneoffs<BR />nat (outside,outside) source static VPN_Hairpin VPN_Hairpin destination static VPN_Hairpin VPN_Hairpin<BR />nat (inside,outside) source static natobj-src-tacacs natobj-src-tacacs destination static natobj-dst-tacas-devices natobj-dst-tacas-devices<BR />nat (inside,outside) source static singapore-dr-us singapore-dr-us destination static singapore-dr-asia singapore-dr-asia<BR />nat (dmz-dot12,outside) source static natobj-src-a2m natobj-src-a2m destination static natobj-dst-a2m natobj-dst-a2m route-lookup<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan-new natobj-dst-vpn-lan-to-lan-new<BR />nat (dmz-dot8,outside) source static natobj-src-larsentoubro-local natobj-src-larsentoubro-local destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan natobj-dst-vpn-lan-to-lan<BR />nat (inside,outside) source static natobj-src-network-tools natobj-src-network-tools destination static natobj-dst-network-devices natobj-dst-network-devices<BR />nat (inside,outside) source static pp-cl1-10-6-0-0 pp-cl1-10-6-0-0 destination static pp-bet-172-20-20-0 pp-bet-172-20-20-0<BR />nat (inside,dmz-paramount) source static obj-1515-52fl-printers obj-1515-52fl-printers destination static obj-ppc-192-168-148-0 obj-ppc-192-168-148-0<BR />nat (inside,outside) source static obj-10-0-0-0-24 obj-10-0-0-0-24 destination static obj-no-nat-bet obj-no-nat-bet<BR />nat (inside,dmz-paramount) source static obj-no-nat-to-ppc obj-no-nat-to-ppc destination static obj-ppc-no-nat obj-ppc-no-nat<BR />nat (inside,outside) source static natobj-172.16.0.0-12 166.77.6.4 destination static SterlingASA SterlingASA<BR />nat (inside,dmz-paramount) source dynamic any interface<BR />nat (inside,outside) source static natobj-166.77.0.0-16 166.77.6.4 destination static SterlingASA SterlingASA<BR />nat (inside,outside) source static xbox-166.77.216.203 xbox-166.77.216.203<BR />nat (inside,outside) source static xbox-216-184 xbox-public-6-218<BR />nat (inside,outside) source dynamic any pat-pool nielsen-vpn-local destination static nielsen-vpn-remote nielsen-vpn-remote<BR />nat (inside,dmz-paramount) source static natobj-src-viacom-no-nat natobj-src-viacom-no-nat destination static natobj-dst-paramount-no-nat natobj-dst-paramount-no-nat<BR />nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.235 69.195.244.235<BR />nat (inside,outside) source static 166.77.200.57 166.77.200.57 destination static 69.195.244.235 69.195.244.235<BR />nat (inside,dmz-dot5) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot7) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot9) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot11) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot12) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,outside) source static 166.77.186.224 166.77.186.224 destination static 69.195.244.238 69.195.244.238<BR />nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.238 69.195.244.238<BR />nat (inside,outside) source static 166.77.199.147 166.77.199.147 destination static 172.20.90.0 172.20.90.0<BR />nat (inside,outside) source static 166.77.199.223 166.77.199.223 destination static 172.20.90.0 172.20.90.0<BR />nat (inside,outside) source static NATPOOL-166.77.35.128 NATPOOL-166.77.35.128 destination static 69.195.244.235 69.195.244.235<BR />nat (dmz-lb-dmz,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote<BR />nat (inside,outside) source static 10.40.122.20 10.40.122.20 destination static SterlingDECRU SterlingDECRU<BR />nat (inside,outside) source static 10.40.122.21 10.40.122.21 destination static SterlingDECRU SterlingDECRU<BR />nat (inside,outside) source dynamic any pat-pool natobj-global-bluejeans destination static GLB-bluejeans-nets GLB-bluejeans-nets<BR />nat (inside,outside) source static any any destination static NETWORK_OBJ_172.18.251.0_24 NETWORK_OBJ_172.18.251.0_24 no-proxy-arp route-lookup<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-aws-servers natobj-dst-aws-servers<BR />nat (inside,outside) source static Jenkins_Server Jenkins_Server destination static DMQA_Network DMQA_Network<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.31.145 129.228.31.145<BR />nat (inside,outside) source static VPN-Wireless_Pools-DMQA VPN-Wireless_Pools-DMQA destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.13 obj_166.77.185.13 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.14 obj_166.77.185.14 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.15 obj_166.77.185.15 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.123 obj_166.77.185.123 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.124 obj_166.77.185.124 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.206.28 obj_166.77.206.28 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static natobj-src-sap natobj-src-sap<BR />nat (inside,outside) source static natobj-src-sap natobj-src-sap destination static natobj-src-sap natobj-src-sap<BR />nat (inside,outside) source static obj_imailrelay-server obj_imailrelay-server destination static DMQA_Router DMQA_Router<BR />!<BR />object network natobj-172.18.3.0-25<BR />&nbsp;nat (dmz-corpvpn,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-10.10.4.0-24<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-192.21.120.0-23<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-166.77.0.0-16</P> Fri, 21 Feb 2020 13:37:52 GMT https://community.cisco.com/t5/network-security/regarding-asa/m-p/2795849#M415637 akash.deep 2020-02-21T13:37:52Z https://community.cisco.com/t5/network-security/regarding-asa/m-p/2795850#M415638 <P>Hi Akash,&nbsp;</P> <P></P> <P>Looks like you have a bunch of NATs configured that &nbsp;might be overlapping this entry and casuing that error. Try adding the "route-lookup" keyword at the end of the NAts that contain the same subnet or have the "any" statement.&nbsp;</P> <P></P> <P>Hope it helps</P> <P>-Randy-</P> Sat, 05 Dec 2015 00:45:41 GMT https://community.cisco.com/t5/network-security/regarding-asa/m-p/2795850#M415638 rvarelac 2015-12-05T00:45:41Z