Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1210
Views
0
Helpful
4
Replies

ASA 9.1.2 packet tracer

giuseppe parlato
Level 1
Level 1

‎02-17-2014 09:54 AM - edited ‎03-11-2019 08:46 PM

Hello,

I'm working on ASA migration from 8.2.5 to 9.1.2. When I try packet trace for static nat testing purpose from ASDM the destination address is not populated by nat ip but the real one. That happen only on a specific interface which is full of nat (and where I also have some "identity nat"). Can someone tell me why ? is it a normal behaviour ?

Thank you

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2014 10:04 AM

Hi,

I am not really sure what you mean.

Can you perhaps use the "packet-tracer" through the CLI and show what happens. Naturally you can also share a screencapture from the ASDMs packet tracer if you dont use CLI at all

- Jouni

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-17-2014 11:45 AM

Not entirely sure about what you are talking about but just in case.

Remember that the behavior on ASA firewall changes dramatically from ASA 8.2 and lower against 8.3. and higher.

-In 8.2 and before the ASA firewall perform the ACL check and then the NAT rule (This is why you pointed to public Addresses on ACL)

-In 8.3 and higher the ASA performs NAT rules first and then ACL check (This is why u now point to private IP address in ACL)

This does not mean that if running packet-tracer u must use the private IP address if comming for the internet. So make sure u still use the public IP address of the server u are trying to acces.

Hope that I could help!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

giuseppe parlato
Level 1
Level 1
In response to Julio Carvajal

‎02-18-2014 03:04 AM

Thanks for your reply Jouni. Packet-tracer through the CLI is ok, of course also packet-tracer through ASDM is ok if I insert nat ip on destination ip field. The issue is precisely that from an access rule (which involves nat) by clicking on packet tracer the destination ip should'nt be filled with the real ip (as it is on the access rule) but the nat ip.

0 Helpful

giuseppe parlato
Level 1
Level 1
In response to giuseppe parlato

‎02-19-2014 01:33 AM

That happen because og identity nat.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card