Solved: How to determine which NAT policy is being used

Warren · ‎01-17-2018

Good day;

I was going through my firewall that I was asked to managed, there are 4 different NAT statements so was testing to see which statement is active or not. when I do a show xlate it says I am using a PAT from the NAT table called INSIDE,OUTSIDE. I checked the table and I do have one but when I search for my subnet that my workstation is on I do not see a statement that NATs my IP to the outside interface of the firewall. I went ahead and check the other 3 and nothing pulls up, am I missing something??

Thank you in advance for your help!!

Warren

Francesco Molino · ‎01-17-2018

Yes you're right. This is a default dynamic NAT to nat inside hosts accessing internet.

You can try the packet-tracer command, it could also help to see nat statement, acl, routing,...

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-17-2018

Hi

To see which nat your traffic is taking, you can use the command packet-tracer.
It will show you the complete flow for a particular traffic including the nat statement.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Warren · ‎01-17-2018

Hmm never thought of that I think I will try that but

I believe I found the answer I went down further in the config and found this

object network obj_any

nat (INSIDE,OUTSIDE) dynamic interface

This is what is NATTing my internal network to my outside interface of my firewall, I verified this by doing a

FW-CHOF-INET1# sh nat object obj_any detai

Auto NAT Policies (Section 2)

14 (INSIDE) to (OUTSIDE) source dynamic obj_any interface

translate_hits = 465017372, untranslate_hits = 46656920

Source - Origin: 0.0.0.0/0, Translated: XXXX.XXXX.XXX.XXXX

I attempted to connect to something on the internet and did the following

sh xlate | incl XXXX.XXXX.XXXX.XXXX

UDP PAT from INSIDE: XXXX.XXXX.XXXX.XXXX/39605 to OUTSIDE: XXXX.XXXX.XXXX.XXXX/39605 flags ri idle 0:00:03 timeout 0:00:30

This matches up with the outside interface IP that is being used

sorry I should of checked the whole config before posting but hopefully this helps someone else otherwise sorry for wasting bandwidth.

Francesco Molino · ‎01-17-2018

Yes you're right. This is a default dynamic NAT to nat inside hosts accessing internet.

You can try the packet-tracer command, it could also help to see nat statement, acl, routing,...

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Warren · ‎01-17-2018

Just tried packet tracer like you said and that was a lot easier than going over the config manually,

it pointed to the policy it was using and everything so i verified what I found. Thank you Francesco

for the tip never thought of using packet tracer, matter of fact this is my first time I ever used it.

Thank you agian Sir for your help!!!!!

Francesco Molino · ‎01-17-2018

You're welcome.
The Cisco Community is here to help!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question