<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Nat issue in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/nat-issue/m-p/1958528#M440232</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Is the server on the telenorguest interface?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Try with this static:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;static (telenorguest,languest) 10.47.47.80 10.47.47.80&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Let me know if this works for you&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Fri, 29 Jun 2012 14:52:58 GMT</pubDate>
    <dc:creator>alejands</dc:creator>
    <dc:date>2012-06-29T14:52:58Z</dc:date>
    <item>
      <title>Nat issue</title>
      <link>https://community.cisco.com/t5/network-security/nat-issue/m-p/1958527#M440231</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am having a NAT issue an I am not sure what is going on.&amp;nbsp; I have tried configuring nat exempt but that didn't solve the issue.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;ASA 5520 &lt;/P&gt;&lt;P&gt;version 8.2&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;My client has the inside network on interface gig0/1.100 and the guest network on gig0/2.200.&amp;nbsp; The whole 10.77.1.0/24 network needs to be able to reach the server with IP 10.47.47.80 using HTTP.&amp;nbsp; The access list is in place ont the guest interface to allow traffic to the server.&amp;nbsp; The problem is that when I do a packet trace to see the traffic flow, it is dropped on a NAT rpf-check. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;NAT control is disabled.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;fw-001# packet-tracer input languest tcp 10.77.1.2 4444 10.47.47.80 www detail&lt;/P&gt;&lt;P&gt;Phase: 1&lt;BR /&gt;Type: FLOW-LOOKUP&lt;BR /&gt;Subtype:&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;BR /&gt;Found no matching flow, creating a new flow&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Phase: 2&lt;BR /&gt;Type: ROUTE-LOOKUP&lt;BR /&gt;Subtype: input&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;BR /&gt;in&amp;nbsp;&amp;nbsp; 10.47.32.0&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; 255.255.224.0&amp;nbsp;&amp;nbsp; inside&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Phase: 3&lt;BR /&gt;Type: ROUTE-LOOKUP&lt;BR /&gt;Subtype: input&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;BR /&gt;in&amp;nbsp;&amp;nbsp; 10.77.1.0&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; 255.255.255.0&amp;nbsp;&amp;nbsp; languest&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Phase: 4&lt;BR /&gt;Type: ACCESS-LIST&lt;BR /&gt;Subtype: log&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;access-group languest in interface languest&lt;BR /&gt;access-list languest extended permit tcp 10.77.0.0 255.255.0.0 host 10.47.47.80 eq www&lt;BR /&gt;Additional Information:&lt;BR /&gt;Forward Flow based lookup yields rule:&lt;BR /&gt;in&amp;nbsp; id=0xcf9a8d68, priority=12, domain=permit, deny=false&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; hits=24, user_data=0xca3a2880, cs_id=0x0, flags=0x0, protocol=6&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; src ip=10.77.0.0, mask=255.255.0.0, port=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; dst ip=10.47.47.80, mask=255.255.255.255, port=80, dscp=0x0&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Phase: 5&lt;BR /&gt;Type: IP-OPTIONS&lt;BR /&gt;Subtype:&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;BR /&gt;Forward Flow based lookup yields rule:&lt;BR /&gt;in&amp;nbsp; id=0xcccf80d0, priority=0, domain=inspect-ip-options, deny=true&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; hits=20976, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Phase: 6&lt;BR /&gt;Type: FOVER&lt;BR /&gt;Subtype: standby-update&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;BR /&gt;Forward Flow based lookup yields rule:&lt;BR /&gt;in&amp;nbsp; id=0xcc9d9560, priority=21, domain=lu, deny=true&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; hits=29, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Phase: 7&lt;BR /&gt;Type: NAT&lt;BR /&gt;Subtype: host-limits&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;static (languest,telenorguest) 10.77.1.0 10.77.1.0 netmask 255.255.255.0&lt;BR /&gt;&amp;nbsp; match ip languest 10.77.1.0 255.255.255.0 telenorguest any&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; static translation to 10.77.1.0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 3682, untranslate_hits = 6954&lt;BR /&gt;Additional Information:&lt;BR /&gt;Forward Flow based lookup yields rule:&lt;BR /&gt;in&amp;nbsp; id=0xccd78a00, priority=5, domain=host, deny=false&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; hits=16886022, user_data=0xccd783c0, cs_id=0x0, reverse, flags=0x0, protocol=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; src ip=10.77.1.0, mask=255.255.255.0, port=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Phase: 8&lt;BR /&gt;Type: NAT&lt;BR /&gt;Subtype: rpf-check&lt;BR /&gt;Result: DROP&lt;BR /&gt;Config:&lt;BR /&gt;nat (inside) 1 0.0.0.0 0.0.0.0&lt;BR /&gt;&amp;nbsp; match ip inside any languest any&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; &lt;STRONG&gt;dynamic translation to pool 1 (No matching global)&lt;/STRONG&gt;&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 0, untranslate_hits = 0&lt;BR /&gt;Additional Information:&lt;BR /&gt;Forward Flow based lookup yields rule:&lt;BR /&gt;out id=0xccd6e600, priority=1, domain=nat-reverse, deny=false&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; hits=25, user_data=0xccd6e390, cs_id=0x0, flags=0x0, protocol=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Result:&lt;BR /&gt;input-interface: languest&lt;BR /&gt;input-status: up&lt;BR /&gt;input-line-status: up&lt;BR /&gt;output-interface: inside&lt;BR /&gt;output-status: up&lt;BR /&gt;output-line-status: up&lt;BR /&gt;Action: drop&lt;BR /&gt;Drop-reason: (acl-drop) Flow is denied by configured rule&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Any ideas why this is happening?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thanks&lt;/P&gt;</description>
      <pubDate>Mon, 11 Mar 2019 23:24:41 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nat-issue/m-p/1958527#M440231</guid>
      <dc:creator>CiscoNutt</dc:creator>
      <dc:date>2019-03-11T23:24:41Z</dc:date>
    </item>
    <item>
      <title>Nat issue</title>
      <link>https://community.cisco.com/t5/network-security/nat-issue/m-p/1958528#M440232</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Is the server on the telenorguest interface?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Try with this static:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;static (telenorguest,languest) 10.47.47.80 10.47.47.80&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Let me know if this works for you&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 29 Jun 2012 14:52:58 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nat-issue/m-p/1958528#M440232</guid>
      <dc:creator>alejands</dc:creator>
      <dc:date>2012-06-29T14:52:58Z</dc:date>
    </item>
    <item>
      <title>Nat issue</title>
      <link>https://community.cisco.com/t5/network-security/nat-issue/m-p/1958529#M440233</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt; Ugh!!! so simple.&amp;nbsp; I should have thought of that.&amp;nbsp; thanks &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;if it wasn't obvious, it worked.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 29 Jun 2012 15:01:21 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nat-issue/m-p/1958529#M440233</guid>
      <dc:creator>CiscoNutt</dc:creator>
      <dc:date>2012-06-29T15:01:21Z</dc:date>
    </item>
  </channel>
</rss>

