Cisco Cisco ASA 5545-X Adaptive Security Appliance 문제 해결 가이드
How to Troubleshoot NAT Problems
Use the Packet Tracer Utility
In order to troubleshoot problems with NAT configurations, use the packet tracer utility in order to verify that
a packet hits the NAT policy. Packet tracer allows you to specify a sample packet that enters the ASA, and the
ASA indicates what configuration applies to the packet and if it is permitted or not.
a packet hits the NAT policy. Packet tracer allows you to specify a sample packet that enters the ASA, and the
ASA indicates what configuration applies to the packet and if it is permitted or not.
In the example below, a sample TCP packet that enters the inside interface and is destined to a host on the
Internet is given. The packet tracer utility shows that the packet matches a dynamic NAT rule and is translated
to the outside IP address of 172.16.123.4:
Internet is given. The packet tracer utility shows that the packet matches a dynamic NAT rule and is translated
to the outside IP address of 172.16.123.4:
ASA# packet−tracer input inside tcp 10.10.10.123 12345 209.165.200.123 80
...(output omitted)...
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 10.10.10.0−net
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.10.10.123/12345 to 172.16.123.4/12345
...(output omitted)...
Result:
input−interface: inside
input−status: up
input−line−status: up
output−interface: outside
output−status: up
output−line−status: up
Action: allow
ASA#