Hello Laz,
One more question based on the below NAT configuration. According to the below Cisco documentation, when traffic is initiated from INSIDE zone, translate_hits is supposed to increment and when traffic is initiated from DMZ zone, untranslate_hits is supposed to increment. Also, as per your previous statement, traffic initiated from DMZ will not be able to successfully connect to any IP address on the INSIDE zone based on the below NAT configuration. I have taken the below NAT rule from a production device and for some reason untranslate_hits is also incrementing. Would you please clarify that?
(INSIDE) to (DMZ) source static any any destination static DMZ-Servers DMZ-Servers no-proxy-arp
translate_hits = 242062, untranslate_hits = 246828
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 10.10.10.0/24 Translated: 10.10.10.0/24
The NAT configuration you have shared is a bidirectional NAT rule, which allows both INSIDE and DMZ hosts to initiate connections.
The translate_hits counter increments when the traffic is initiated from the INSIDE network to the DMZ network. The untranslate_hits counter increments when the traffic is initiated from the DMZ network to the INSIDE network.
The reason why untranslate_hits is also incrementing is because some traffic is being initiated from the DMZ network to the INSIDE network. Itâs worth noting that even though the traffic is initiated from the DMZ to the INSIDE, it doesnât necessarily mean the connection is successful. The success of the connection would depend on the security policies and access-lists on your firewall. So you can still have untranslate_hits incrementing even if the traffic is disallowed due to interface security rules.
Remember, NAT rules only define how the IP addresses are translated, but they do not define whether the traffic is allowed or not. Thatâs where security policies come into play. Does that make sense?