Cisco Cisco ASA 5545-X Adaptive Security Appliance 문제 해결 가이드

The packet tracer utility can be used to diagnose most NAT−related issues on the ASA. See the next section
for more information about how the NAT configuration is used to build the NAT policy table, and how to
troubleshoot and resolve specific NAT problems.

Additionally, the show nat detail command can be used in order to understand which NAT rules are hit by
new connections.

All packets processed by the ASA are evaluated against the NAT table. This evaluation starts at the top
(Section 1) and works down until a NAT rule is matched. Once a NAT rule is matched, that NAT rule is
applied to the connection and no more NAT policies are checked against the packet.

The NAT policy on the ASA is built from the NAT configuration.

The three sections of the ASA NAT table are:

Section 1

Manual NAT policies
These are processed in the order in which they appear in the configuration.

Section 2

Auto NAT policies
These are processed based on the NAT type (static or dynamic) and the prefix (subnet mask) length
in the object.

Section 3

After−auto manual NAT policies
These are processed in the order in which they appear in the configuration.

This diagram shows the different NAT sections and how they are ordered:

This example shows how the ASA's NAT configuration with two rules (one Manual NAT statement and one
Auto NAT configuration) are represented in the NAT table: