Hi,
When you use PAT (Dynamic NAT overload) you configure nat and global
commands, right?
Thus, there is no info about any translation in the xlate table. So, the
very first packet going out will be send out using routing table and in the
same time it will create xlate entry. The returning packet will be using
that xlate entry to route the traffic back to the source.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/8/12 karim jamali <karim.jamali_at_gmail.com>
> Hi Piotr,
>
> Thank You for the explanation. Are you trying to say the following:
> Inside hosts for instance are patted to an outside interface. If hosts need
> to go to any address first they will be patted to the outside interface
> (thus this determines the path they chose,egress interface) from there on
> they start looking at routing lookups down that way?
>
> Thank You once again.
>
>
> On Thu, Aug 12, 2010 at 4:41 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> Hi,
>>
>> I think it is pretty good explained. It simply states that ASA uses its
>> translation table to determine egress interface. If there is no xlate in
the
>> table then the ASA uses its routing table.
>> Remember that static translation is always in the table, so that it will
>> be always used instead of routing table.
>>
>> To test that, simply configure 'wrong' static translation and you'll see
>> that packet is going to wrong egress interface (even though you have
correct
>> entry in the routing table).
>>
>> Let me know if you need more info.
>>
>> HTH,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security)
>> Technical Instructor
>> website: www.MicronicsTraining.com
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2010/8/12 karim jamali <karim.jamali_at_gmail.com>
>>
>>> Dear Experts,
>>>
>>> I am going through routing on the ASA using the below document:
>>>
>>>
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.htm
l
>>>
>>> can someone help me understand what the 3 bullets below are referencing
>>> exactly? I would be very grateful for your help.
>>> Egress Interface Selection Process
>>>
>>> * 1. *If destination IP translating XLATE already exists, the egress
>>> interface for the packet is determined from the XLATE table, but not from
>>> the routing table.
>>>
>>> * 2. *If destination IP translating XLATE does not exist, but a matching
>>> static translation exists, then the egress interface is determined from
>>> the
>>> static route and an XLATE is created, and the routing table is not used.
>>>
>>> * 3. *If destination IP translating XLATE does not exist and no matching
>>> static translation exists, the packet is not destination IP translated.
>>> The
>>> security appliance processes this packet by looking up the route to
>>> select
>>> egress interface, then source IP translation is performed (if necessary).
>>>
>>> For regular dynamic outbound NAT, initial outgoing packets are routed
>>> using
>>> the route table and then creating the XLATE. Incoming return packets are
>>> forwarded using existing XLATE only. For static NAT, destination
>>> translated
>>> incoming packets are always forwarded using existing XLATE or static
>>> translation rules.
>>> Thank You
>>>
>>> --
>>> KJ
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
> --
> KJ
Blogs and organic groups at http://www.ccie.net
Received on Thu Aug 12 2010 - 20:16:41 ART