Re: OT:Understanding ASA Routing from Piotr Matusiak on 2010-08-12 (Ccielab archives 08/2010)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Thu, 12 Aug 2010 15:41:01 +0200

Hi,

I think it is pretty good explained. It simply states that ASA uses its
translation table to determine egress interface. If there is no xlate in the
table then the ASA uses its routing table.
Remember that static translation is always in the table, so that it will be
always used instead of routing table.

To test that, simply configure 'wrong' static translation and you'll see
that packet is going to wrong egress interface (even though you have correct
entry in the routing table).

Let me know if you need more info.

HTH,

--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2010/8/12 karim jamali <karim.jamali_at_gmail.com>
> Dear Experts,
>
> I am going through routing on the ASA using the below document:
>
>
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.htm
l
>
> can someone help me understand what the 3 bullets below are referencing
> exactly? I would be very grateful for your help.
> Egress Interface Selection Process
>
> * 1. *If destination IP translating XLATE already exists, the egress
> interface for the packet is determined from the XLATE table, but not from
> the routing table.
>
> * 2. *If destination IP translating XLATE does not exist, but a matching
> static translation exists, then the egress interface is determined from the
> static route and an XLATE is created, and the routing table is not used.
>
> * 3. *If destination IP translating XLATE does not exist and no matching
> static translation exists, the packet is not destination IP translated. The
> security appliance processes this packet by looking up the route to select
> egress interface, then source IP translation is performed (if necessary).
>
> For regular dynamic outbound NAT, initial outgoing packets are routed using
> the route table and then creating the XLATE. Incoming return packets are
> forwarded using existing XLATE only. For static NAT, destination translated
> incoming packets are always forwarded using existing XLATE or static
> translation rules.
> Thank You
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Thu Aug 12 2010 - 15:41:01 ART

This archive was generated by hypermail 2.2.0 : Wed Sep 01 2010 - 11:20:52 ART