Thanks Piotr. So in this case I do not have a route for the mapped address anywhere. I only have a default-route pointing inside. In my case, based on what you are saying the following would happen
- routing is checked for 192.168.10.241. There is no route. Default route matches pointing INSIDE - static translation tells the ASA to forward the packet OUTSIDE - packet is virtually sent to egress interface and it checks routing table. Default route again points INSIDE. - Packet is dropped. That is not what I'm seeing though. When I have a specific route for the real address and no specific route at all (except the default) for the mapped address it works On Mon, Apr 22, 2013 at 4:53 PM, Piotr Matusiak <[email protected]> wrote: > Hi Joe, > > First routing is checked to see what is the egress interface so that the > ASA can guess if a connection is Inbound or Outbound. Then, if you have > xlate for that packet, the xlate will tell ASA where to forward packet to. > Finally, when the packet is virtually sent to the egress interface (based > on the xlate) ASA resolves L3 next hop, and here it checks routing table > again. If the route is different, the packet is dropped. Check it with 'sh > asp drop'. > > Regards, > Piotr Matusiak > > > > On 4/22/13 9:50 PM, Joe Astorino wrote: > > I could really use some clarification here. Here is my setup > > ASA running 8.2 code. nat-control is not enforced. Requirement is that > traffic destined to 192.168.10.241 on the inside will have the destination > translated to 10.12.20.56 on the outside. Conversely, traffic sourced from > 10.12.20.56 on the outside will have it's source translated to > 192.168.10.241 on the inside. > > My solution > > static (outside,inside) 192.168.10.241 10.12.20.56 netmask > 255.255.255.255 > > > Now, I assumed going from inside --> outside routing happens first. So, > I added a route like so > route (outside) 192.168.10.241 255.255.255.255 outside_next_hop > > This failed to work. Only when I add a static route pointing outside > for the REAL address does this work. This is baffling me. > > Also, when running packet-tracer the first step is UN-NAT which I've > never heard of before and can't find much information on. Can anybody > explain why routing is happening POST nat here??? > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
