Hi Joe, For ASA code in both pre 8.3 and 8.3+, routing will be post-NAT. I don't know the exact reasoning for this but I can speculate that it is to both route based on 'real ip' (simplifies routing table) as well as to allow for simpler implementation of 'route-lookup' NAT function. The order of operations changes between pre 8.3 and 8.3+ between the "Access-Control" and "NAT" steps (ACL done before nat in pre-8.3, NAT done before ACL in 8.3+).
If routing were to happen pre-NAT, than consider the following example: * You have 12.232.232.0/24 address space. * Your outside interface is assigned 12.232.232.80. * The whole 12.232.232.0/24 network is then directly connected to the outside interface. So any incoming packet being routed first would want to hairpin and not reach its correct destination. Additionally, RPF check would fail for NAT (unless NAT specifies outside,outside) so the packet would be dropped. * Because, in reality, routing happens after NAT An incoming packet can be un-nat'ed to, for example, DMZ address 192.168.232.x and routed accordingly. Hope I was helpful. Good studies, Kevin Sheahan From: Joe Astorino <[email protected]> Date: Monday, April 22, 2013 3:50 PM To: OSL Security <[email protected]> Subject: [OSL | CCIE_Security] 8.2 static outside NAT I could really use some clarification here. Here is my setup ASA running 8.2 code. nat-control is not enforced. Requirement is that traffic destined to 192.168.10.241 on the inside will have the destination translated to 10.12.20.56 on the outside. Conversely, traffic sourced from 10.12.20.56 on the outside will have it's source translated to 192.168.10.241 on the inside. My solution static (outside,inside) 192.168.10.241 10.12.20.56 netmask 255.255.255.255 Now, I assumed going from inside --> outside routing happens first. So, I added a route like so route (outside) 192.168.10.241 255.255.255.255 outside_next_hop This failed to work. Only when I add a static route pointing outside for the REAL address does this work. This is baffling me. Also, when running packet-tracer the first step is UN-NAT which I've never heard of before and can't find much information on. Can anybody explain why routing is happening POST nat here??? -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
