Cisco Cisco ASA 5545-X Adaptive Security Appliance 문제 해결 가이드
ASA Network Address Translation Configuration
Troubleshooting
Troubleshooting
Document ID: 116388
Contributed by Jay Johnston, Cisco TAC Engineer.
Jan 15, 2014
Contents
Introduction
Troubleshoot NAT Configuration on the ASA
How the ASA Configuration is Used to Build the NAT Policy Table
How to Troubleshoot NAT Problems
Use the Packet Tracer Utility
View the Output of the Show Nat Command
NAT Problem Troubleshooting Methodology
Common Problems with NAT Configurations
Problem: Traffic fails due to NAT Reverse Path Failure (RPF) Error: Asymmetric NAT rules matched for
forward and reverse flows
Problem: Manual NAT Rules are out−of−order, which causes incorrect packet matches
Problem: A NAT rule is too broad and matches some traffic inadvertently
Problem: A NAT rule diverts traffic to an incorrect interface
Problem: A NAT rule causes the ASA to Proxy Address Resolution Protocol (ARP) for traffic on the
mapped interface
Related Information
Troubleshoot NAT Configuration on the ASA
How the ASA Configuration is Used to Build the NAT Policy Table
How to Troubleshoot NAT Problems
Use the Packet Tracer Utility
View the Output of the Show Nat Command
NAT Problem Troubleshooting Methodology
Common Problems with NAT Configurations
Problem: Traffic fails due to NAT Reverse Path Failure (RPF) Error: Asymmetric NAT rules matched for
forward and reverse flows
Problem: Manual NAT Rules are out−of−order, which causes incorrect packet matches
Problem: A NAT rule is too broad and matches some traffic inadvertently
Problem: A NAT rule diverts traffic to an incorrect interface
Problem: A NAT rule causes the ASA to Proxy Address Resolution Protocol (ARP) for traffic on the
mapped interface
Related Information
Introduction
This document describes how to troubleshoot Network Address Translation (NAT) configuration on the Cisco
Adaptive Security Appliance (ASA) platform. This document is valid for ASA Version 8.3 and later.
Adaptive Security Appliance (ASA) platform. This document is valid for ASA Version 8.3 and later.
Note: For some basic examples of NAT configurations, which include a video that shows a basic NAT
configuration, see the section Related Information at the bottom of this document.
configuration, see the section Related Information at the bottom of this document.
Troubleshoot NAT Configuration on the ASA
When you troubleshoot NAT configurations, it is important to understand how the NAT configuration on the
ASA is used to build the NAT policy table.
ASA is used to build the NAT policy table.
These configuration mistakes account for the majority of the NAT problems encountered by ASA
administrators:
administrators:
The NAT configuration rules are out of order. For example, a manual NAT rule is placed at the top of
the NAT table, which causes more specific rules placed farther down the NAT table to never be hit.
the NAT table, which causes more specific rules placed farther down the NAT table to never be hit.
•
The network objects used in the NAT configuration are too broad, which causes traffic to
inadvertently match these NAT rules, and miss more specific NAT rules.
inadvertently match these NAT rules, and miss more specific NAT rules.
•