Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6713
Views
5
Helpful
1
Replies

Option route-lookup error on policy NAT

Go to solution
Colin Higgins
Level 2
Level 2

‎04-03-2015 01:30 PM - edited ‎03-11-2019 10:44 PM

I have some VPN tunnels that terminate on an upstream router from my main ASA.

 

I want users at the other end of these tunnels to all hit a single IP address (an application VIP) behind my firewall, so I set up some policy nats like so

I created a couple host objects and the object below

object-group network ACME-HOSTS
description Remote ACME Workstations
network-object host 192.168.150.22

 

nat (ASA-TRANS,ACME) source static obj-172.25.92.68 obj-172.25.92.10 destination static ACME-HOSTS ACME-HOSTS no-proxy-arp
nat (ASA-TRANS,CORP) source static obj-172.25.92.68 obj-172.25.92.10 destination static CORP-SFTP-HOSTS CORP-SFTP-HOSTS no-proxy-arp

 

there are static routes from the individual interfaces to the remote networks.

 

So I am trying to NAT 172.25.92.68 to 172.25.92.10 for both of these remote networks.

 

Now when I put in the command "route-lookup" at the end of the nat statements above (no-proxy-arp route-lookup) I get a weird error

 

ERROR: Option route-lookup is only allowed for static identity case

 

Removing the route-lookup option, and the command is accepted.

 

Will this still work? What does that error even mean? I don't remember ever seeing it in earlier IOS versions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-03-2015 02:13 PM

The "route-lookup" option is only used with static identity NAT ie. where you translate the IP to the same IP but you are not doing that so it isn't an option.

The ASA uses the NAT rule to determine which interface to send the traffic out of and of there is no NAT it uses a route lookup.

There are certain circumstances with identity NAT where you actually want the ASA to use the routing table rather than the NAT entry to determine the correct path for traffic and then you would use that option with your NAT statement.

But as you are not doing identity NAT it doesn't apply.

Jon

View solution in original post

1 Reply 1

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-03-2015 02:13 PM

The "route-lookup" option is only used with static identity NAT ie. where you translate the IP to the same IP but you are not doing that so it isn't an option.

The ASA uses the NAT rule to determine which interface to send the traffic out of and of there is no NAT it uses a route lookup.

There are certain circumstances with identity NAT where you actually want the ASA to use the routing table rather than the NAT entry to determine the correct path for traffic and then you would use that option with your NAT statement.

But as you are not doing identity NAT it doesn't apply.

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card