Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6497
Views
0
Helpful
2
Replies

UN-NAT question

Go to solution
WStoffel1
Level 1
Level 1

‎07-19-2013 07:18 AM - edited ‎03-11-2019 07:14 PM

I know you'll probably need more but i havent seen an UNnat before.  I made some changes to allow the two networks to talk on my asa.  the result is it works.  The Un-Nat in phase 3 three sort of threw me for a loop.  I was hoping someone could just explain whats happening based on the below:

packet-tracer input exchange tcp 192.168.180.11 32000 192.168.139.6 25

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (lvbw,Exchange) 192.168.139.0 192.168.139.0 netmask 255.255.255.0

  match ip lvbw 192.168.139.0 255.255.255.0 HostedExchange any

    static translation to 192.168.139.0

    translate_hits = 29, untranslate_hits = 51

Additional Information:

NAT divert to egress interface lvbw

Untranslate 192.168.139.0/0 to 192.168.139.0/0 using netmask 255.255.255.0

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-19-2013 07:29 AM

Hi,

To my understanding UN-NAT Phase always happen when you have a translation configured for the destination IP address. You are essentially targeting an IP address that is a NAT IP address configured on the firewall.

So a "packet-tracer" command using a destination IP address used in a Static NAT for a server would produce the same type of output.

What you are doing above is basically Static Identity NAT. The network used in the command is translated into itself. The most typical use for this is usually to enable communication between different Cisco firewall interfaces.

Depending on setup you might actually see 2 different translations in the same "packet-tracer" output. This happens when you are doing NAT for both the source and the destination host of the "packet-tracer" command.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-19-2013 07:29 AM

Hi,

To my understanding UN-NAT Phase always happen when you have a translation configured for the destination IP address. You are essentially targeting an IP address that is a NAT IP address configured on the firewall.

So a "packet-tracer" command using a destination IP address used in a Static NAT for a server would produce the same type of output.

What you are doing above is basically Static Identity NAT. The network used in the command is translated into itself. The most typical use for this is usually to enable communication between different Cisco firewall interfaces.

Depending on setup you might actually see 2 different translations in the same "packet-tracer" output. This happens when you are doing NAT for both the source and the destination host of the "packet-tracer" command.

- Jouni

0 Helpful

Go to solution
WStoffel1
Level 1
Level 1

‎07-21-2013 06:41 AM

thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card