Hi Kings, Static entry (issuing the command) is a form of a pre-built XLATE. In other words it creates a fixed slot automatically just after you issue the command. This is why you can initiate the traffic to the translated address. I cannot test it now, but in older versions traffic had to be initiated (either outgoing or incoming to the translated IP) for this entry to show up in the "show xlate" (it disappeared when you issued clear xlate or after a reboot) - this may be the reason for point 2. Either way, when the traffic is flowing, it will be matched by the XLATE table (no matter dynamic or static).
Regards, Piotr K On Wed, Jul 7, 2010 at 9:59 AM, Kingsley Charles <[email protected] > wrote: > Hi Piotr > > The 2nd point informs us that a matching static rule is considered when > there is no translating xlate and the static translation is used. The return > traffic > can't use the static translation and create a xlate. Please clarify. > > > "If destination IP translating XLATE does not exist, but a matching static > translation exists, then the > egress interface is determined from the static route and an XLATE is > created, and the routing table > is not used." > > > With regards > Kings > > > On Wed, Jul 7, 2010 at 1:15 PM, Piotr Kaluzny <[email protected]> wrote: > >> Anantha, >> >> Destination XLATE means an XLATE for the return traffic. For example, if >> you PAT some traffic inside->outside (source translation), the return >> traffic will be destined to the PAT IP address and port (so to undo the >> translation, destination IP and port will be untranslated to the original IP >> and port). Now if the original translation took place when the traffic was >> flowing inside->outside, it means that the return traffic will be directed >> to the inside interface - route recursion happens based on the XLATE. >> >> Note that you still need to have a valid route for that untranslated IP >> address (e.g. to find a NH) and only routes that recurse towards the >> XLATE-chosen interface and considered. >> >> Regards, >> Piotr K >> >> >> On Tue, Jul 6, 2010 at 11:22 PM, Anantha Subramanian Natarajan < >> [email protected]> wrote: >> >>> Hi All, >>> >>> I was going through the IP Routing chapter on the ASA Configuration >>> guide and trying to understand the term " *destination IP translating >>> XLATE* " on the below paragraph.Is that means,if a translating entry >>> already exists on the XLATE table ? >>> >>> 1. If *destination IP translating XLATE* already exists, the egress >>> interface for the packet is determined >>> from the XLATE table, but not from the routing table. >>> >>> 2. If destination IP translating XLATE does not exist, but a matching >>> static translation exists, then the >>> egress interface is determined from the static route and an XLATE is >>> created, and the routing table >>> is not used. >>> >>> 3. If destination IP translating XLATE does not exist and no matching >>> static translation exists, the >>> packet is not destination IP translated. The adaptive security appliance >>> processes this packet by >>> looking up the route to select egress interface, then source IP >>> translation is performed (if necessary). >>> For regular dynamic outbound NAT, initial outgoing packets are routed >>> using the route table and >>> then creating the XLATE. Incoming return packets are forwarded using >>> existing XLATE only. For >>> static NAT, destination translated incoming packets are always forwarded >>> using existing XLATE or >>> static translation rules. >>> >>> Thanks for the help >>> >>> Regards >>> Anantha Subramanian Natarajan >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
