Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
0
Replies

no translate hit counter in sh nat command in Port Forwarding LAB.

mdsubrunjamil
Level 1
Level 1

‎10-07-2017 11:13 AM - edited ‎02-21-2020 06:27 AM

Hi All 

 

I was doing a Port Forwarding LAB in my GNS3. Inside source machine ( 10.0.0.25 ) is listening on 8000 port as Web Server. From the Outside say for example in my LAB user will be hitting from 192.168.137.XX Block and when it will be hitting the NATTED IP ( 192.168.137.230 ) of local Web Server with 8001 port eventually it will do a Port Forwarding to 8000 on which port basically Local Web Server is Listening. 

 

Here look like everything is working. From Outside,  Web Server is Opening. I attached a screenshot. Also doing a packet trace that is also showing everything is Allowed. 

 

But I dont see any translate counter in at "sh nat "( translate_hits = 0,) output.

 

( Local 10.0.0.25: 8000 Public 192.168.137.230 :8001 ). 

 

Also dont see any output when I give command like 

 

"sh conn address 10.0.0.25 or 192.168.137.230.

 

Please advise what could be the Problem.

 

Here I attached my diagram, sh run of ASA , Test Server Screenshot and Other OutPut 

 

ASAFW# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASAFW
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 10.1.0.250 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.137.250 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_10.0.0.25
host 10.0.0.25
access-list outside_access_in extended permit tcp any object obj_10.0.0.25
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_10.0.0.25
nat (inside,outside) static 192.168.137.230 service tcp 8000 8001
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
route inside 10.0.0.0 255.0.0.0 10.1.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:b999f51dd7ecb5f1d072f4e82e257d62
: end

=====

Cisco Adaptive Security Appliance Software Version 8.4(2)

=====

ASAFW# sh nat

 

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj_10.0.0.25 192.168.137.230 service tcp 8000 8001
translate_hits = 0, untranslate_hits = 4

 

ASAFW# sh xlate

 

1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.0.0.25 8000-8000 to outside:192.168.137.230 8001-8001
flags sr idle 0:00:18 timeout 0:00:00

 

ASAFW# sh conn address 10.0.0.25
0 in use, 3 most used


ASAFW# sh conn address 192.168.137.230
0 in use, 3 most used
ASAFW#


ASAFW# packet-tracer input outside tcp 192.168.137.239 8001 192.168.137.230 8000

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj_10.0.0.25
nat (inside,outside) static 192.168.137.230 service tcp 8000 8001
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.137.230/8001 to 10.0.0.25/8000

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object obj_10.0.0.25
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj_10.0.0.25
nat (inside,outside) static 192.168.137.230 service tcp 8000 8001
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ASAFW#

 

 

Labels:
Preview file
36 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card