These hit counters increment only once per connection. The show nat output shows how these rules are used to build the NAT policy table, as well as the number of translate_hits and untranslate_hits for each rule. In the previous example, there are six NAT rules configured on this ASA. Here is the NAT configuration and the NAT policy table from a different ASA configuration:
If you see that your new NAT rule has no translate_hits or untranslate_hits, that means that either the traffic does not arrive at the ASA, or perhaps a different rule that has a higher priority in the NAT table matches the traffic. Specifically, the translate_hits and untranslate_hits counters can be used in order to determine which NAT entries are used on the ASA. The output of the show nat detail command can be used in order to view the NAT policy table. This uses the IP addresses specified in the NAT rule as the inputs for the packet tracer tool: The packet tracer utility shows that the packet matches a dynamic NAT rule and is translated to the outside IP address of 172.16.123.4: ASA# packet-tracer input inside tcp 10.10.10.123 12345 209.165.200.123 80ĭynamic translate 10.10.10.123/12345 to 172.16.123.4/12345Ĭhoose the NAT rule and click Packet Trace in order to activate the packet tracer from the Cisco Adaptive Security Device Manager (ASDM). In the example below, a sample TCP packet that enters the inside interface and is destined to a host on the Internet is given. Packet tracer allows you to specify a sample packet that enters the ASA, and the ASA indicates what configuration applies to the packet and if it is permitted or not. In order to troubleshoot problems with NAT configurations, use the packet tracer utility in order to verify that a packet hits the NAT policy.
Cisco asa 5505 nat configuration manual#
This example shows how the ASA's NAT configuration with two rules (one Manual NAT statement and one Auto NAT configuration) are represented in the NAT table: This diagram shows the different NAT sections and how they are ordered: These are processed based on the NAT type (static or dynamic) and the prefix (subnet mask) length in the object. These are processed in the order in which they appear in the configuration. The three sections of the ASA NAT table are: Section 1
The NAT policy on the ASA is built from the NAT configuration. Once a NAT rule is matched, that NAT rule is applied to the connection and no more NAT policies are checked against the packet. This evaluation starts at the top (Section 1) and works down until a NAT rule is matched. How the ASA Configuration is Used to Build the NAT Policy TableĪll packets processed by the ASA are evaluated against the NAT table.
Cisco asa 5505 nat configuration how to#
See the next section for more information about how the NAT configuration is used to build the NAT policy table, and how to troubleshoot and resolve specific NAT problems.Īdditionally, the show nat detail command can be used in order to understand which NAT rules are hit by new connections. The packet tracer utility can be used to diagnose most NAT-related issues on the ASA.
The network objects used in the NAT configuration are too broad, which causes traffic to inadvertently match these NAT rules, and miss more specific NAT rules.For example, a manual NAT rule is placed at the top of the NAT table, which causes more specific rules placed farther down the NAT table to never be hit. The NAT configuration rules are out of order.These configuration mistakes account for the majority of the NAT problems encountered by ASA administrators: When you troubleshoot NAT configurations, it is important to understand how the NAT configuration on the ASA is used to build the NAT policy table. Troubleshoot NAT Configuration on the ASA Note: For some basic examples of NAT configurations, which include a video that shows a basic NAT configuration, see the section Related Information at the bottom of this document. This document describes how to troubleshoot Network Address Translation (NAT) configuration on the Cisco Adaptive Security Appliance (ASA) platform. This document is valid for ASA Version 8.3 and later.
0 kommentar(er)
