Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1167
Views
0
Helpful
0
Replies

ASA IPSec- THe dynamic NAT ignores the route-lookup (Packet trace phase 2)

Hamed Karimi
Level 1
Level 1

‎09-06-2020 07:30 PM

Hello.

 

I have an IPsec tunnel acting as a backup path for an internal (EIGRP) link on ASA. It will be triggered only if the internal link goes down and since traffic does not find any EIGRP route then it will be matched with the default route and brings up the tunnel. On the tunnel we PAT all traffic behind a single IP address.

The problem is that the traffic ignores route-lookup (phase 2) and match the PAT (UN-NAT Lookup) and triggers the tunnel. So the tunnel always handles the traffic. There is no option to enable the proxy-arp on dynamic NAT. Is there any solution or I should move the tunnel to a different device?

1.JPG

Preview file
19 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card