cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2200
Views
10
Helpful
4
Replies

How to check/control which NAT & ACL rule(s) has been hit?

IamSamSaul
Level 1
Level 1

Hi there,

 

Is there any command (CLI or GUI) to check or control which NAT rule has been hit? 

 

For example: a user is coming from Internet and wants to access a webserver in DMZ zone. Now I would like to know which NAT rule and ACL rule(s) has been hit during this connection.

 

Thanks & Regards,

Sam

1 Accepted Solution

Accepted Solutions

@IamSamSaul 

No, packet-tracer would still display the output if you hit a NAT exemption rule. It's more likely that traffic didn't match any NAT rule.

Run the command "show nat detail" from the CLI and determine whether there were actually any hits on that NAT exemption rule.


HTH

View solution in original post

4 Replies 4

Hi @IamSamSaul 

Yes, you can run packet-tracer from the CLI or ASDM, this will simulate traffic. In the output you can determine which NAT rule and ACL was matched. E.g.

 

packet-tracer input <source interface> <protocol> <source IP> <source port> <destination IP> <destination port> [detailed]

 

HTH

Hi Rob, 

 

Thanks for your reply. I was using the same command in FTD's CLI (system support diagnostic-cli) but it does not show the NAT section.

 

This is the situation:

 

Client - Inside - DMZ - Webserver 

 

I have a NAT exempt rule from Client to Webserver. 

 

Is it possible that I don't see the NAT hit in my capture due to this rule? 

 

I was using the following capture command:

 

capture CAP1 interface DMZ trace detailed match ip host 10.10.20.34 host 172.16.1.100

 

Webserver: 172.16.1.100

Client: 10.10.20.34

 

Thanks. 

@IamSamSaul 

No, packet-tracer would still display the output if you hit a NAT exemption rule. It's more likely that traffic didn't match any NAT rule.

Run the command "show nat detail" from the CLI and determine whether there were actually any hits on that NAT exemption rule.


HTH