Home  ›  Ifc Selected Is Not Same as Preferred Ifc Doing Route Lookup Again on Ifc Inside

Ifc Selected Is Not Same as Preferred Ifc Doing Route Lookup Again on Ifc Inside

Written By Monday, May 16, 2022 Add Comment Edit

You are here: Home / Blogs / Understanding When A Cisco ASA NAT Rule Can Override The ASA Routing Table

Thanks to @bobmccouch who responded multiple times to my frustrated tweeting virtually Cisco ASA parcel forwarding weirdness today. He pointed out some crucial forwarding behavior related to eight.3.1 and higher NAT, including some changes introduced as of viii.four.2. (Follow Bob. He tweets nerdy.)

So…hither's the thing. A Cisco ASA does not ever make up one's mind the egress interface of a parcel based on the routing tabular array. Instead, information technology's possible that a NAT dominion is overriding the routing table. What Cisco says about this is as follows, taken from their official configuration documentation for the ASA:

Determining the Egress Interface

In transparent mode, the ASA determines the egress interface for a NAT parcel by using the NAT configuration; you must specify the source and destination interfaces equally function of the NAT configuration.

In routed mode, the ASA determines the egress interface for a NAT packet in the following way:

  • If yous specify an optional interface, then the ASA uses the NAT configuration to make up one's mind the egress interface. (8.3(1) through 8.4(i)) The only exception is for identity NAT, which always uses a road lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default beliefs is to utilise the NAT configuration, simply you take the selection to always use a route lookup instead.
  • If you practice not specify a specific interface, and then the ASA uses a road lookup to determine the egress interface.

My scenario is a routed firewall, not transparent. So, to reword Cisco's docs every bit I'one thousand understanding them, if you've got a NAT dominion that matches a particular packet, then the interface the translated packet will use to get out the firewall volition be determined by your NAT dominion destination interface (if you specified one), and Not THE ROUTING TABLE. If you don't similar this behavior, yous can use the "route-lookup" directive at the stop of your NAT statement, or the comparable checkbox in ASDM "Lookup route table to locate egress interface".

If you lot use identity NAT (translating a bundle to itself, common with VPN firewalls), note that up through 8.4.1, the ASA would e'er practise a route lookup to determine the egress interface. Merely as of 8.4.two and college, the ASA volition not do a route lookup on identity NATs past default. Therefore, yous might need to re-think your identity NAT ruleset to make sure that your NAT rules aren't forwarding differently than what the routing table indicates, assuming that's important to y'all. I've seen exactly this happen – traffic getting sent out the outside interface of a firewall due to a NAT rule, when intuitively the traffic should have been routing out the inside interface if the just thing weighing on the ASA's forwarding decision was the routing table. This sort of behavior can drive someone mad until you realize that NAT has this ability to accept precedence over routing depending on how the NAT rule was written.

Playing with this a bit on an ASA running 8.iv.3, I constitute out that neither ASDM nor the CLI would let me put the "route-lookup" directive after the NAT argument unless both the source and destination interfaces were defined. If either source or destination interface were "any", the "route-lookup" directive was simply not at that place.

nat (Inside,any) source static RFC1918 RFC1918 destination static Encrypt_McMurdo-Station Encrypt_McMurdo-Station ?

configure fashion commands/options:
description Specify NAT rule description
inactive Disable a NAT dominion
no-proxy-arp Disable proxy ARP on egress interface
service NAT service parameters
unidirectional Enable per-session NAT
<cr>

nat (any,Within) source static RFC1918 RFC1918 destination static Encrypt_McMurdo-Station Encrypt_McMurdo-Station ?

configure manner commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
no-proxy-arp Disable proxy ARP on egress interface
service NAT service parameters
unidirectional Enable per-session NAT
<cr>

nat (Inside,Net) source static RFC1918 RFC1918 destination static Encrypt_McMurdo-Station Encrypt_McMurdo-Station ?

configure mode commands/options:
description Specify NAT rule clarification
inactive Disable a NAT rule
no-proxy-arp Disable proxy ARP on egress interface
road-lookup Perform road lookup for this rule
service NAT service parameters
unidirectional Enable per-session NAT
<cr>

I am more convinced than ever that information technology's a mistake to call up of the ASA as a router. The device simply does non follow the package forwarding logic of Cisco IOS. If you demand a device to perform VPN termination while truly acting like an IOS router, and so the answer is…an IOS router. And if you object to using an IOS box for VPN tunnel termination considering you lot love the HA functionality of Cisco ASA firewall pairs, permit me to point out that Cisco does offering stateful failover for IPSEC on IOS. Yous've got options.

sellerssheand.blogspot.com

Source: https://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

0 Response to "Ifc Selected Is Not Same as Preferred Ifc Doing Route Lookup Again on Ifc Inside"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel