04-03-2015 01:30 PM - edited 03-11-2019 10:44 PM
I have some VPN tunnels that terminate on an upstream router from my main ASA.
I want users at the other end of these tunnels to all hit a single IP address (an application VIP) behind my firewall, so I set up some policy nats like so
I created a couple host objects and the object below
object-group network ACME-HOSTS
description Remote ACME Workstations
network-object host 192.168.150.22
nat (ASA-TRANS,ACME) source static obj-172.25.92.68 obj-172.25.92.10 destination static ACME-HOSTS ACME-HOSTS no-proxy-arp
nat (ASA-TRANS,CORP) source static obj-172.25.92.68 obj-172.25.92.10 destination static CORP-SFTP-HOSTS CORP-SFTP-HOSTS no-proxy-arp
there are static routes from the individual interfaces to the remote networks.
So I am trying to NAT 172.25.92.68 to 172.25.92.10 for both of these remote networks.
Now when I put in the command "route-lookup" at the end of the nat statements above (no-proxy-arp route-lookup) I get a weird error
ERROR: Option route-lookup is only allowed for static identity case
Removing the route-lookup option, and the command is accepted.
Will this still work? What does that error even mean? I don't remember ever seeing it in earlier IOS versions.
Solved! Go to Solution.
04-03-2015 02:13 PM
The "route-lookup" option is only used with static identity NAT ie. where you translate the IP to the same IP but you are not doing that so it isn't an option.
The ASA uses the NAT rule to determine which interface to send the traffic out of and of there is no NAT it uses a route lookup.
There are certain circumstances with identity NAT where you actually want the ASA to use the routing table rather than the NAT entry to determine the correct path for traffic and then you would use that option with your NAT statement.
But as you are not doing identity NAT it doesn't apply.
Jon
04-03-2015 02:13 PM
The "route-lookup" option is only used with static identity NAT ie. where you translate the IP to the same IP but you are not doing that so it isn't an option.
The ASA uses the NAT rule to determine which interface to send the traffic out of and of there is no NAT it uses a route lookup.
There are certain circumstances with identity NAT where you actually want the ASA to use the routing table rather than the NAT entry to determine the correct path for traffic and then you would use that option with your NAT statement.
But as you are not doing identity NAT it doesn't apply.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide