[c-nsp] remove PAT command from FWSM configure
Peter Rathlev
peter at rathlev.dk
Wed Aug 29 06:51:53 EDT 2012
On Wed, 2012-08-29 at 16:42 +0800, zhangyongshun wrote:
> 于 2012/8/26 23:43, Peter Rathlev 写道:
> > > nat (inside) 18 0.0.0.0 0.0.0.0
> > > if this commmand match any real inside network traffic?
> >
> > That would depend on the definition of "any real inside network
> > traffic". The NAT statements matches all IPv4 traffic that is not
> > matched by something more specific, like narrower NAT statements or
> > statics.
>
> I want to make sure if this ACL match any outbound traffic from inside
> interface.
I'm not sure what you mean by that. You can check what NAT statement a
specific connection matches with the packet-tracer:
ASA# packet-tracer input inside tcp 10.32.183.207 1025 192.0.2.100 http
...
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.0.0.0 255.0.0.0
match ip inside 10.0.0.0 255.0.0.0 outside any
dynamic translation to pool 1 (203.0.113.66)
translate_hits = 652581185, untranslate_hits = 31422081
Additional Information:
Dynamic translate 10.32.183.207/1025 to 203.0.113.66/33395 using netmask 255.255.255.255
...
ASA#
You can see how many hits a give NAT statement has had with "show nat":
ASA# show nat inside outside | begin _inside 10\.0\.0\.0 255\.0\.0\.0 outside any
match ip inside 10.0.0.0 255.0.0.0 outside any
dynamic translation to pool 1 (203.0.113.66)
translate_hits = 652590621, untranslate_hits = 31422887
ASA#
You can clear these counters with "clear nat counters inside outside" to
better see what happens over time.
Hope this helps.
--
Peter
More information about the cisco-nsp
mailing list