Hi Joe,
First routing is checked to see what is the egress interface so that the
ASA can guess if a connection is Inbound or Outbound. Then, if you have
xlate for that packet, the xlate will tell ASA where to forward packet
to. Finally, when the packet is virtually sent to the egress interface
(based on the xlate) ASA resolves L3 next hop, and here it checks
routing table again. If the route is different, the packet is dropped.
Check it with 'sh asp drop'.
Regards,
Piotr Matusiak
On 4/22/13 9:50 PM, Joe Astorino wrote:
I could really use some clarification here. Here is my setup
ASA running 8.2 code. nat-control is not enforced. Requirement is
that traffic destined to 192.168.10.241 on the inside will have the
destination translated to 10.12.20.56 on the outside. Conversely,
traffic sourced from 10.12.20.56 on the outside will have it's source
translated to 192.168.10.241 on the inside.
My solution
static (outside,inside) 192.168.10.241 10.12.20.56 netmask 255.255.255.255
Now, I assumed going from inside --> outside routing happens first.
So, I added a route like so
route (outside) 192.168.10.241 255.255.255.255 outside_next_hop
This failed to work. Only when I add a static route pointing outside
for the REAL address does this work. This is baffling me.
Also, when running packet-tracer the first step is UN-NAT which I've
never heard of before and can't find much information on. Can anybody
explain why routing is happening POST nat here???
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
