Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21271
Views
0
Helpful
16
Replies

what does this mean (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate???

g_parmar83
Level 1
Level 1

‎07-24-2013 06:33 AM - edited ‎03-11-2019 07:16 PM

hi to all

i try to ping  to outside interface of VPN concentrator through ASA 5520 via a 3750 switch in between them,  but unable to do so.

i did the packet trace through the command line

and getting following

packet-tracer input outside icmp 0 0 8  3.3.3.3

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   3.3.3.1  255.255.255.248 outside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

could some one please expalin me, what exactly is going on here??????????

thanks

in advance.

Labels:
0 Helpful
16 Replies 16

Jouni Forss
VIP Alumni
VIP Alumni
In response to g_parmar83

‎07-25-2013 12:00 PM

Hi,

Seems to me that the above things you wrote are correct.

- Jouni

0 Helpful

hehe
Level 1
Level 1

‎04-26-2020 11:37 PM

CSCun95075 - ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule Symptom: Once a twice NAT rule with a service translation is added, other traffic on the interface may also be dropped with a reason of nat-no-xlate-to-pat-pool. This is expected behavior and more details can be found here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_fwaaa.html#wp1331733 However, if the NAT rule references an object-group and that object-group is changed while the NAT rule is still configured, traffic may still be dropped even after removing the NAT rule. Conditions: All of the following conditions must be matched to see this issue: 1) The ASA is configured with a twice NAT rule that uses a service translation 2) The object-group referenced in the NAT rule is edited (i.e. a new network-object is added to it) while the NAT rule is still configured 3) The NAT rule is removed from the configuration Workaround: Reloading the ASA after the offending NAT rule is removed will resolve the issue. Bug Fixed in release : 9.1.5(1) or 9.1.2(100) Regards Karthik
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card