Is the output of the "show nat" command, which shows the number of thits on NAT rules, a reliable counter in the same way that access-list counters are, meaning unless cleared or if the firewall is rebooted, can I count on these hit counts as being an accurate portrayal of what is actually being used? trying to clean up an old firewall with a lot of NAT rules, many show no hit counts since the last reboot.
Unless you have a code which has some bugs related to the "hit" counters, each new flow which matches a NAT entry, upon which a new session is created through the device, is gonna increase the "hit" value by 1. So yes, you can use the "hit" counters as a reference to which NAT statements are actively matched by traffic and which do not. If you have a NAT statement for which you don't see hits, try simulating traffic via packet-tracer, matching that NAT statement, you will see the "hit" counter increasing. Use "clear nat counters" first, to start from zero.
I was helping some friends and they were trying to solve a scalable VPN issues, specially these days with the pandemic situation.
I recommended to implement ASA VPN Load-Balancing.
This will allow to keep 1 FQDN for all RA-VPN users an...
Purpose of this article is to share our experience during that Covid-19 period where we were able to successfully setup a VPN configuration for remote worker using Alcatel 8068S phones with FTD 2110 running 18.104.22.168.I would like to thank all of my colleagu...
If you have ever configured central web authentication with ISE you understand that it requires one to configure ACL that dictates what traffic is to be redirected vs. let through without redirection. You also understand that this ACL needs to be config...
Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager that can manage security products like the Adaptive Security Appliance (ASA), the Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.&nb...