Solved: FTD Nat Question

benolyndav · ‎03-14-2023

Hi

I Was recently looking into an issue with users unable to connect o an external site and I noticed that the translate hits for the nat rule associated with this access rule werent incrementing I disabled the rule and then re enabled and it sorted it users were able to get to the destination again and the nat translate counters were once again incrementing, Im now looking at another issue which involves another nat rule where users arent able to get to an external site and again the translate counters arent incrementing but the strange thing is 99% of users are getting to the site could this be some sort of bug.??

Thanks

Rob Ingram · ‎03-14-2023

@benolyndav nat exhaustion perhaps?

What version are you running, have you checked for bugs?

View solution in original post

Rob Ingram · ‎03-14-2023

@benolyndav hard to tell, do the users come from the same source network and therefore match the exact same rule?

Best thing to do is run packet-tracer from the CLI, this would confirm which NAT rule traffic is or is not matching - example "packet-tracer input INSIDE tcp 192.168.10.1 3000 8.8.8.8 80". It would also confirm if the problem is related to NAT and ACP issue or something else.

benolyndav · ‎03-14-2023

Hi
Yes I have ran the packet tracers and its stipulates the correct nat rule, the users that are having issues do tend to be sourced from the same network but the funny thing is not all users from this source subnet are having the issue.? Im wondering if its possible that some translations are stuck and not clearing automatically.?

Rob Ingram · ‎03-14-2023

@benolyndav nat exhaustion perhaps?

What version are you running, have you checked for bugs?

benolyndav · ‎03-14-2023

Hi

Version 7.01
I have had a look at the bugs and dont see anything relating to this, whats the best way to manually check for nat exhaustion ??

Thanks

MHM Cisco World · ‎03-14-2023

did your FTD connect to dual ISP ?

benolyndav · ‎03-15-2023

Hi

No single