cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4583
Views
0
Helpful
5
Replies
Beginner

ASA 5500-x with 9.1 - identity NAT

I have been trying to implement identity NAT on a 5515-x with 9.1 software.

The main purpose is to divert traffic coming from a specific interface to a second ISP interface - which is NOT the current default gateway.

But I cannot get it to work.

The topology is as follows:

      isp-1           isp-2

   (10.1.1.1)    (10.2.2.2)

          \          /

             ASA

          /          \

     inside        DMZ

10.10.0.0/24    (10.3.3.3) ---- 10.7.0.0/24

ASA routes:          route isp-1 0.0.0.0 0.0.0.0 10.1.1.1 1

                            route isp-2 0.0.0.0 0.0.0.0 10.2.2.2 2

                            route DMZ 10.7.0.0 255.255.255.0 10.3.3.3

The default gateway is towards isp-1. And the inside networks are NAT/PAT-ed with isp-1 interface.

The 10.7.7.0/24 range is advertised and routed by isp-2.

The purpose is to route the 10.7.7.0/24 adresses from DMZ zone to isp-2, without being translated. This is pretty much Policy-Based-Routing (PBR).

I have been able to get this working on ASA 5520 with 8.4.2 ... with the following commands (which is destination identity NAT):

sysopt noproxyarp DMZ

nat (isp-2,DMZ) source static any any

This it NOT working in 9.1 .. And I still have not found a document stating that this feature's behaviour has changed since 8.4.2.

In fact here's a document decribing 9.1 NAT functionality and how it can set the egress interface, overriding the routing table rules.

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html#wp1165189

The closest I've gotten this to work in 9.1 is only for TCP and UDP traffic by using service objects, with source identity NAT. Like this:

object service obj-tcp-any

service tcp destination range 0 65535

object service obj-udp-any

service udp destination range 0 65535

nat (DMZ,isp-2) source static any any service obj-tcp-any obj-tcp-any

nat (DMZ,isp-2) source static any any service obj-udp-any obj-udp-any

Only then does the "divert to egress interface" kicks in. But still, I cannot divert ICMP, ESP and any other non-TCP,UDP traffic.

Any thoughts? Has anyone been able to fully implement this on the 9.x code?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Mentor

ASA 5500-x with 9.1 - identity NAT

Hi,

I just posted the following in another thread. Maybe it might be of help

Original post at: https://supportforums.cisco.com/thread/2198593?tstart=0

So I booted one of my test ASA5520 to software 9.1(1) and did some  testing with regards to using NAT configuration to determine the eggress  interface of the traffic.

I  tried a few different setups and I managed to get one of them working.  While a couple of tested configurations always resulted in the ASA doing  a route lookup the last one seemed to follow the NAT configuration  definitions and not the route lookup/routing table

So my lab setup is the following

  • Single ASA5520 9.1(1)
  • 2 WAN links
  • 1 LAN link

What I tried

  • Forward traffic to different WAN link depending on the LAN host IP address
  • Host 10.0.0.30 out of WAN-1 for all destination networks
  • Host 10.0.0.200 out of WAN-2 for all destination networks

I  guess this configuration in particular doesnt help with the orignal  posters situation but it does seem to help in a situation where you want  to control the DUAL WAN link usage depending on the source IP address  of the LAN host.

Here are the example NAT/Interface/route configurations and "packet-tracer" output

interface GigabitEthernet0/0

description Primary ISP

nameif WAN-1

security-level 0

ip address 192.168.101.2 255.255.255.0

!

interface GigabitEthernet0/1

description Secondary ISP

nameif WAN-2

security-level 0

ip address 192.168.102.2 255.255.255.0

!

interface GigabitEthernet0/2

description LAN

nameif LAN

security-level 100

ip address 10.0.20.2 255.255.255.0

route WAN-1 0.0.0.0 0.0.0.0 192.168.101.1 1

route WAN-2 0.0.0.0 0.0.0.0 192.168.102.1 254

route LAN 10.0.0.0 255.255.255.0 10.0.20.1 1

object network LAN-SOURCE-1

host 10.0.0.30

object network LAN-SOURCE-2

host 10.0.0.200

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

ASA(config)# packet-tracer input LAN tcp 10.0.0.30 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-1

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

Additional Information:

Static translate 10.0.0.30/12345 to 10.0.0.30/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 13, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-1

output-status: up

output-line-status: up

Action: allow

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-2

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

Additional Information:

Static translate 10.0.0.200/12345 to 10.0.0.200/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 14, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-2

output-status: up

output-line-status: up

Action: allow

This also works with setting the NAT to Dynamic Policy PAT instead of the above Identity NAT / NAT Exempt

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

ASA(config)# packet-tracer input LAN tcp 10.0.0.30 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-1

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

Additional Information:

Dynamic translate 10.0.0.30/12345 to 192.168.101.2/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 15, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-1

output-status: up

output-line-status: up

Action: allow

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-2

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

Additional Information:

Dynamic translate 10.0.0.200/12345 to 192.168.102.2/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 16, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-2

output-status: up

output-line-status: up

Action: allow

Hopefully this helps someone. Please if so

- Jouni

Hope this helps

- Jouni

View solution in original post

Highlighted
Mentor

ASA 5500-x with 9.1 - identity NAT

So I guess in your situation you could try the following and see if it works

object network DMZ

subnet 10.7.0.0 255.255.255.0

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (DMZ,isp-2) source static DMZ DMZ destination static ALL ALL

- Jouni

View solution in original post

5 REPLIES 5
Highlighted
Mentor

ASA 5500-x with 9.1 - identity NAT

Hi,

I just posted the following in another thread. Maybe it might be of help

Original post at: https://supportforums.cisco.com/thread/2198593?tstart=0

So I booted one of my test ASA5520 to software 9.1(1) and did some  testing with regards to using NAT configuration to determine the eggress  interface of the traffic.

I  tried a few different setups and I managed to get one of them working.  While a couple of tested configurations always resulted in the ASA doing  a route lookup the last one seemed to follow the NAT configuration  definitions and not the route lookup/routing table

So my lab setup is the following

  • Single ASA5520 9.1(1)
  • 2 WAN links
  • 1 LAN link

What I tried

  • Forward traffic to different WAN link depending on the LAN host IP address
  • Host 10.0.0.30 out of WAN-1 for all destination networks
  • Host 10.0.0.200 out of WAN-2 for all destination networks

I  guess this configuration in particular doesnt help with the orignal  posters situation but it does seem to help in a situation where you want  to control the DUAL WAN link usage depending on the source IP address  of the LAN host.

Here are the example NAT/Interface/route configurations and "packet-tracer" output

interface GigabitEthernet0/0

description Primary ISP

nameif WAN-1

security-level 0

ip address 192.168.101.2 255.255.255.0

!

interface GigabitEthernet0/1

description Secondary ISP

nameif WAN-2

security-level 0

ip address 192.168.102.2 255.255.255.0

!

interface GigabitEthernet0/2

description LAN

nameif LAN

security-level 100

ip address 10.0.20.2 255.255.255.0

route WAN-1 0.0.0.0 0.0.0.0 192.168.101.1 1

route WAN-2 0.0.0.0 0.0.0.0 192.168.102.1 254

route LAN 10.0.0.0 255.255.255.0 10.0.20.1 1

object network LAN-SOURCE-1

host 10.0.0.30

object network LAN-SOURCE-2

host 10.0.0.200

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

ASA(config)# packet-tracer input LAN tcp 10.0.0.30 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-1

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

Additional Information:

Static translate 10.0.0.30/12345 to 10.0.0.30/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 13, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-1

output-status: up

output-line-status: up

Action: allow

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-2

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

Additional Information:

Static translate 10.0.0.200/12345 to 10.0.0.200/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 14, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-2

output-status: up

output-line-status: up

Action: allow

This also works with setting the NAT to Dynamic Policy PAT instead of the above Identity NAT / NAT Exempt

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

ASA(config)# packet-tracer input LAN tcp 10.0.0.30 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-1

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

Additional Information:

Dynamic translate 10.0.0.30/12345 to 192.168.101.2/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 15, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-1

output-status: up

output-line-status: up

Action: allow

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

Additional Information:

NAT divert to egress interface WAN-2

Untranslate 1.1.1.1/80 to 1.1.1.1/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

Additional Information:

Dynamic translate 10.0.0.200/12345 to 192.168.102.2/12345

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 16, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-2

output-status: up

output-line-status: up

Action: allow

Hopefully this helps someone. Please if so

- Jouni

Hope this helps

- Jouni

View solution in original post

Highlighted
Mentor

ASA 5500-x with 9.1 - identity NAT

So I guess in your situation you could try the following and see if it works

object network DMZ

subnet 10.7.0.0 255.255.255.0

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (DMZ,isp-2) source static DMZ DMZ destination static ALL ALL

- Jouni

View solution in original post

Highlighted
Beginner

ASA 5500-x with 9.1 - identity NAT

That's great mate! it's working! Thank you very much!

The only thing that bothers me still is, why does it not work with this (which I've tried before posting the original post):

object network obj-any

subnet 0.0.0.0 0.0.0.0

nat (DMZ,isp-2) source static DMZ DMZ destination static obj-any obj-any

Why does it need to match (0/1 + 128/1) , rather than 0/0 ? Seems a bit strange, like e bug in the code..

Thanks again for the solution!

Highlighted
Mentor

Re: ASA 5500-x with 9.1 - identity NAT

Hi,

To be honest I am unable to say why it doesnt work. I tried the same thing as you mention as one of the possible solutions for this.

Then I got an "Aaah! feeling" and decided to try this one out and it seemed to work

There has been bugs related to the NAT in the newest software in addition to purposefull changes to its operation. All this makes me personally very paranoid when handling the NAT live/production environments because I feel I can't be sure if I am witnessing a bug or something that is working as its supposed to.

I am probably going to wait for some newer releases of softwares before I touch any of the environments I manage.

The main thing that has given me trouble has been this exact setup that you were facing problems with. The NAT simply isnt performing the way is mentioned in the Cisco documents. Sometimes it seems near impossible to get the ASA to use the NAT configuration to determine the eggress interface. Instead the ASA always uses the route lookup.

I would imagine that there must be something in the way ASA handles the "0.0.0.0 0.0.0.0" compared to splitting the whole IPv4 address space in to "2 chunks" that causes this difference in the NAT behaviour.

Maybe this configuration will get broken in some future software realease too

- Jouni

Highlighted
Beginner

Hello all.... I did a lot of

Hello all....

 

I did a lot of tests with the configuration that you showed in these topics and others forums, and, in my Cisco ASA, this didnt work....

 

I have this configurations in my Cisco ASA:

object network Teste_IP
 host 10.0.0.10

object network ANY-0.0.0.0-1
 subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
 subnet 128.0.0.0 128.0.0.0

object-group network ALL
 network-object object ANY-0.0.0.0-1
 network-object object ANY-128.0.0.0-1

nat (Inside,outside2) source static Teste_IP Teste_IP destination static ALL ALL

route outside 0.0.0.0 0.0.0.0 192.168.1.1
route outside2 0.0.0.0 0.0.0.0 192.168.2.1 254

 

Packet tracer never show me a match on nat... Always he pass direct to outside, and not outside2.

 

If i put a specific route on routing table like this...

route outside2 172.16.31.5 255.255.255.255 192.168.2.1

thats works fine...

But... i think that ASA see the default route going for outside, and not outside2, and dont match the nat configuration with (Inside,Outside2).

:(

 

Anybody have any idea to my solution?

 

I use this nats too:

 

nat (Inside,outside2) source static Teste_IP interface destination static ALL ALL

nat (Inside,outside2) source dynamic Teste_IP interface destination static ALL ALL

 

and others....

 

Savio Almeida