Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1626
Views
3
Helpful
1
Replies

ASA route-lookup issue

Kashish_Patel
Level 2
Level 2

‎08-21-2012 11:53 PM - edited ‎03-11-2019 04:45 PM

Hi Security Experts,

In a very weird behavior, I see that ASA running 8.4(4)1 is not doing route-lookup and taking routing decisions just based on nat statements.

I have a firewall running older 8.2(2)16 code as well and it does route-lookup before forwarding packet. Why has the behavior changed in pre-8.3 and 8.3+ versions?

This default ASA behavior is causing lots of problems for us. I understand that we can force route-lookup to happen using "route-lookup" option while adding nat statements, but I am interested in knowing why Cisco has made no route-lookup as the default option.

Thanks,

Kashish

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎08-22-2012 12:20 AM

Hi Kashish,

The feature was introduced to provide more flexibility to your nat configurations. I would suggest you go through this exlanation for your question in the release notes:

In 8.4(2) and later, the default behavior for  identity NAT was changed to match the behavior of other static NAT  configurations: proxy ARP is enabled, and the NAT configuration  determines the egress interface (if specified) by default. You can leave  these settings as is, or you can enable or disable them discretely

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp535067

Let me know if you need any other explanation.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card