07-17-2015 12:55 PM - edited 03-11-2019 11:17 PM
Hi Guys,
I have a static nat for public-to-private as shown below on ASA 8.2 however I have users accessing this private-ip (10.0.10.245) via MPLS link.
Users have a complianing there is a traffic loss.
static (inside-10,outside-48) 116.19.49.52 10.0.10.245 netmask 255.255.255.255
When I did a packet-trace, I noticed the return traffic is taken over by static-nat.
ASA# packet-tracer input new-mpls tcp 10.32.26.185 1621 10.0.10.245 8080 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.0.10.0 255.255.255.0 inside-10 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group mpls_intf in interface new-mpls access-list mpls_intf extended permit ip any any Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT-EXEMPT Subtype: rpf-check Result: ALLOW Config: Additional Information: Phase: 5 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (new-mpls) 0 0.0.0.0 0.0.0.0 nat-control match ip new-mpls any dmz-12 any no translation group, implicit deny policy_hits = 0 Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside-10) 2 10.0.10.0 255.225.255.0 nat-control match ip inside-10 10.0.10.0 255.225.255.0 new-mpls any dynamic translation to pool 2 (No matching global) translate_hits = 5000045, untranslate_hits = 0 Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: static (inside-10,outside-48) 116.19.49.52 10.0.10.245 netmask 255.255.255.255 nat-control match ip inside-10 host 10.0.10.245 outside-48 any static translation to 116.19.49.52 translate_hits = 1593, untranslate_hits = 765 Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 72453496, packet dispatched to next module Result: input-interface: new-mpls input-status: up input-line-status: up output-interface: inside-10 output-status: up output-line-status: up Action: allow ASA# |
How can avoid this routed traffic is being taken over by static-nat?
Thanks
Rizwan
07-17-2015 10:09 PM
Hi,
This NAT phase is something which you can ignore in the packet tracer output :-
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside-10,outside-48) 116.19.49.52 10.0.10.245 netmask 255.255.255.255
nat-control
match ip inside-10 host 10.0.10.245 outside-48 any
static translation to 116.19.49.52
translate_hits = 1593, untranslate_hits = 765
Additional Information:
This does not mean that this Static NAT is being used for the specific traffic that you are testing and can be ignored.
Thanks and Regards,
Vibhor Amrodia
07-18-2015 08:29 AM
Hi Vibhor,
"This does not mean that this Static NAT is being used for the specific traffic that you are testing and can be ignored."
I am not sure about your statement above.
outside-48 interface of ASA is on public address.
How could it not matter, when return traffic is being natted back to the public IP as per packet-tracer, whereas users are accessing the destination address as 10.0.10.245 which is the real-ip?
I lost you here.
thanks
07-18-2015 02:51 PM
If I put a nat-exemption on the "interface inside-10"
access-list nat0-inside-10 extended permit ip host 10.0.10.245 host 10.32.26.185
nat (inside-10) 0 nat0-inside-10
Or policy-static-nat would work?
access-list pnat permit ip host 10.0.10.245 host 10.32.26.185
static (inside,outside) 10.0.10.245 access-list pnat
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide