Anantha, Destination XLATE means an XLATE for the return traffic. For example, if you PAT some traffic inside->outside (source translation), the return traffic will be destined to the PAT IP address and port (so to undo the translation, destination IP and port will be untranslated to the original IP and port). Now if the original translation took place when the traffic was flowing inside->outside, it means that the return traffic will be directed to the inside interface - route recursion happens based on the XLATE.
Note that you still need to have a valid route for that untranslated IP address (e.g. to find a NH) and only routes that recurse towards the XLATE-chosen interface and considered. Regards, Piotr K On Tue, Jul 6, 2010 at 11:22 PM, Anantha Subramanian Natarajan < [email protected]> wrote: > Hi All, > > I was going through the IP Routing chapter on the ASA Configuration guide > and trying to understand the term " *destination IP translating XLATE* " > on the below paragraph.Is that means,if a translating entry already exists > on the XLATE table ? > > 1. If *destination IP translating XLATE* already exists, the egress > interface for the packet is determined > from the XLATE table, but not from the routing table. > > 2. If destination IP translating XLATE does not exist, but a matching > static translation exists, then the > egress interface is determined from the static route and an XLATE is > created, and the routing table > is not used. > > 3. If destination IP translating XLATE does not exist and no matching > static translation exists, the > packet is not destination IP translated. The adaptive security appliance > processes this packet by > looking up the route to select egress interface, then source IP translation > is performed (if necessary). > For regular dynamic outbound NAT, initial outgoing packets are routed using > the route table and > then creating the XLATE. Incoming return packets are forwarded using > existing XLATE only. For > static NAT, destination translated incoming packets are always forwarded > using existing XLATE or > static translation rules. > > Thanks for the help > > Regards > Anantha Subramanian Natarajan > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
