Buy or Renew
Buy or Renew
We are experiencing Knowledge Base board outages and working to resolve.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
6
Replies

private ip address in the sniffer after nat

bluesea2010
Level 5
Level 5

‎03-24-2016 02:29 AM - edited ‎03-12-2019 12:32 AM

Hi,

asa (route mode ) -----sniffer-------router---wan

And in the sniffed traffic i can see source

10.0.15.121 and destination is 10.10.0.50

why i can see a private ip address?

Thanks

Labels:
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎03-24-2016 03:08 PM

As the destination is also a private IP, I would guess that this traffic is exempted from NAT or that the ASA doesn't do any NAT at all. The config should tell you more about that.

0 Helpful

bluesea2010
Level 5
Level 5
In response to Karsten Iwen

‎03-24-2016 11:28 PM

There is identity nat for vpn

nat (Inside,any) source static 10.0.0.0.16 10.0.0.0.16 destination static VPN-1 VPN-1

Asa code is ASA Version 9.2(4) , so i think it won't support nat exemption

Thanks

0 Helpful

Aditya Ganjoo
Level 9
Level 9
In response to bluesea2010

‎03-24-2016 11:33 PM

Hi,

Yes correct but this nat is called an IDENTITY NAT which  means it would translate it to its own IP.

So you would see 10.0.0.016 on the outside interface.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

bluesea2010
Level 5
Level 5
In response to Aditya Ganjoo

‎03-25-2016 01:32 AM

Hi,

Please help me to figure out the issue , I dont have any autonat command related with this network and except dentity nat for vpn  and code 9.2 does not  support nat exempt .

attached sniffing snapshot ( traffic leaving asa outside interface )

Thanks

Preview file
4 KB
0 Helpful

Aditya Ganjoo
Level 9
Level 9
In response to bluesea2010

‎03-25-2016 01:37 AM

Hi,

Please share the packet tracer for the concerned traffic.

Regards,

Aditya

0 Helpful

bluesea2010
Level 5
Level 5
In response to Aditya Ganjoo

‎03-25-2016 07:54 AM

Test 1

i don't have autonat for the network  10.0.12.101

packet-tracer input inside udp 10.0.12.101 2821 10.0.10.20 53

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.0.0 via x.x.x.x, Inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.0.0 via x.x.x.x, Inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Test 2)
-------------------------------------------------------------
packet-tracer input inside rawip 10.0.12.101 4 10.10.0.20

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via [publicip router], Outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.0.0 via x.x.x.x, Inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group access_inside in interface Inside
access-list access_inside extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 478713704, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow


Test 3
-------------------------------------------------------------------

packet-tracer input inside rawip 10.0.12.101 4 8.8.8.8

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via [publicip router], Outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.0.0 via x.x.x.x, Inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group access_inside in interface Inside
access-list access_inside extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 478725513, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow


Test 4

Here i have configured autonat for the network 10.0.4.0


nat (Inside,Outside) after-auto source dynamic 10.0.4.0 y.y.y.y

packet-tracer input inside rawip 10.0.4.101 4 10.10.0.20


Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via [publicip router], Outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.0.0 via x.x.x.x, Inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group access_inside in interface Inside
access-list access_inside extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic 10.0.4.0 y.y.y.y
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

Test -5
-----------------------------------------------------------------------------------------

packet-tracer input inside rawip 10.0.4.101 4 10.10.0.20

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via x.x.x.x, Outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.0.0 via x.x.x.x, Inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group access_inside in interface Inside
access-list access_inside extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic 10.0.4.0 y.y.y.y
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

Thanks 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card