Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18702
Views
5
Helpful
9
Replies

ASA route lookup

Go to solution
jvardhan29
Level 1
Level 1

‎12-01-2010 02:24 AM - edited ‎03-11-2019 12:17 PM

i wanted to understand the meaning of below line in the cisco document taken from below link

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html

For egress interface selection there are 3 points of which 2nd one is mentioned below

If destination IP translating XLATE does not exist, but a matching static translation exists, then the egress interface is determined from the static route and an XLATE is created, and the routing table is not used.

1) i believe we are referring to destination translation for outbound traffic , right ?

2) also how exactly egress interface is determined from the static route and with the "matching static translation exists "do we mean kind of static (outside,inside) statement ?Also if we are mentioning static route isnt it part of the routing table then why it is said that the "routing table is not used ".

3) also if we refer this statement for outside NAT like static (outside,inside) how is it possible that xlate is not created as with the static , XLATES are created immediately as soon as configured (doesnot require to generate some traffic)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to jvardhan29

‎12-20-2010 09:21 PM

Hi Jayesh,

the 3 steps in deciding the egress interace work as below. Let's assume you are accessing an outside IP 2.2.2.2 from an inside IP 1.1.1.1. The source ip is 1.1.1.1 and destination ip/port is 2.2.2.2 TCP/80.

Destination xlate exists: This can be checked using the output of show xlate detail. It will show you something like this:

NAT from oustide:2.2.2.2 to inside:2.2.2.2

This means when this packet comes in on the inside interface and destination IP is 2.2.2.2, the ASA decides based on the above entry that the egress 
interface is outside.

Please note that this generally comes up in cases when wehvae dynamic NAT from outside to inside. Consider the below scenario. We have an inside 
server at 10.1.1.10 translted to 1.1.1.1 on the outside. A host on the outside with an IP address of 2.2.2.2 is accessing this server with the IP 1.1.1.1. 
Also the inside interface IP of the ASA is 10.1.1.1.

10.1.1.10------10.1.1.1(inside)ASA(outside)---------2.2.2.2

static (inside,outside) 1.1.1.1 10.1.1.10

We have the below commads as well on the ASa to PAT the outside IP to inside interface IP address.

nat (outside) 1 2.2.2.2 netmask 255.255.255.255 outside
global (inside) 1 interface

Now let's walk through the packet flow:

1) ASA receives a packet on the outside interface with source ip as 2.2.2.2 on tcp/1024 and destination ip as 1.1.1.1 on tcp/80. Now, the ASA checks

(based on the output of show xlate) if there exists a NAT for combination tcp 1.1.1.1/80. We will not see one on the ASA. So it now goes ot the next step of checking if there is a static for 1.1.1 on the outside interface.

Since we have the static in place, the ASa will decide that the egress interface is "inside" and the destination IP is to be "un"translated to 10.1.1.10. Also, the ASA does a source translation for the source IP of 2.2.2.2 to the inside interface of 10.1.1.1 and adds an xlate entry on the ASA as below:

TCP PAT from outside:2.2.2.2/1024 to inside: 10.1.1.1/2458 (i am assuming random port numbers here).

2) when the server replies back to the host, it will reply back to the ip 10.1.1.1 becasue of the PAT we have done. So now, the ASA checks if 10.1.1.1/2458 is in its xlate table (verified using show xlate) and this will tell the ASA that this has to be redirected to outside interface and translated to 2.2.2.2/1024. in this case it does not even go to checking the static for deciding the egress interface.

Following this, the ASA will again translate the source IP of 10.1.1.10 to 1.1.1.1 and send the packet out and the cycle continues.

Hope this clears your questions on route looup!! Lemme know if somehting is unclear.

Cheers,

Prapanch

View solution in original post

9 Replies 9

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-01-2010 06:16 AM

Hi,

I believe that it's trying to explain that when an outbound packet reaches the inside interface of the ASA the following checks will happen in order:

1. ACL

2. Routing

3. NAT

As far as I know, the ASA will always check the routing table to know where it should send the packet and it goes on and check the NAT.

NAT has it's priority list as well:

1. NAT exemption

2. Static NAT/PAT

3. Policy NAT/PAT

4. Dynamic NAT/PAT

Routing will always use the most specific route as well.

Federico.

0 Helpful

Go to solution
jvardhan29
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-03-2010 01:22 AM

Hi federico

sorry i was not able to understand what you mentioned.basically i am looking for an indepth answer for the questions i have for the following line

If destination IP translating XLATE does not exist, but a matching static translation exists, then the egress interface is determined from the static route and an XLATE is created, and the routing table is not used.

anyone else has any thoughts ,please share.

0 Helpful

Go to solution
jvardhan29
Level 1
Level 1
In response to jvardhan29

‎12-11-2010 04:35 AM

hi experts,

i would really appreciate if anyone could help me on this query related to route lookup.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to jvardhan29

‎12-11-2010 06:28 AM

Jayesh,

Glad to see that you pay a lot of attention to detail. I believe there is a "typo" in the 3 points listed below. I have changed a word highlighted in RED. Read it now and let me know if you understand it clearly.

Egress Interface Selection Process

1. If  destination IP translating XLATE already exists, the egress interface  for the packet is determined from the XLATE table, but not from the  routing table.

2. If  destination IP translating XLATE does not exist, but a matching static  translation exists, then the egress interface is determined from the  static translation and an XLATE is created, and the routing table is not used.

3. If  destination IP translating XLATE does not exist and no matching static  translation exists, the packet is not destination IP translated. The  security appliance processes this packet by looking up the route to  select egress interface, then source IP translation is performed (if  necessary).

Yes, this is talking about outbound traffic.

Let us say you have

nat (inside) 1 192.168.1.3 255.255.255.255. (missing global)

static (inside,outside) 2.2.2.1 192.168.1.1

static (inside,outside) 2.2.2.2 192.168.1.2

route outside 0 0 2.2.2.254

translation present in the table for 192.168.1.1

NAT from inside:192.168.1.1 to outside:2.2.2.1 flags s idle 0:00:10 timeout 0:00:00

If 192.168.1.1 wants to go to google, the above translation is looked at and egress interface outside is chosen.

If 192.168.1.2 wants to go out to google when no translation is in the table so, static 1-1 nat is looked at and egress interface is chosen

If 192.168.1.3 wants to go to google we just route the packet to the outside based on "route outside". In this case if you do not have a matching global for this host and so you will see a port map translation creation failed message in the syslogs.

-KS

0 Helpful

Go to solution
jvardhan29
Level 1
Level 1
In response to Kureli Sankar

‎12-12-2010 11:31 PM

thanks KS again for sharing your views and correcting the 2nd statement.

i  also want to tell you that as we are talking about outbound traffic from inside ,then statement "destination IP translating XLATE already exists " should actually refer to the "static (outside,inside)" statement i.e when the destination IP is getting translated from inside (as route lookup happens for destination ) and not for static (inside,outside) as this refers to source translation from inside.

also refer to below statement

"If  destination IP translating XLATE does not exist, but a matching static  translation exists, then the egress interface is determined from the  static translation and an XLATE is created, and the routing table is not used."

my point is with static command the translation is created immediately so why we are saying that "If  destination IP translating XLATE does not exist, but a matching static translation exists" and then we say ...."XLATE is created," ...why would we require to create XLATE as static will immediately create xlate as soon as we put it in config.

0 Helpful

Go to solution
jvardhan29
Level 1
Level 1
In response to jvardhan29

‎12-20-2010 03:52 PM

hi experts

please let me know your views on this query of route lookup

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to jvardhan29

‎12-20-2010 09:21 PM

Hi Jayesh,

the 3 steps in deciding the egress interace work as below. Let's assume you are accessing an outside IP 2.2.2.2 from an inside IP 1.1.1.1. The source ip is 1.1.1.1 and destination ip/port is 2.2.2.2 TCP/80.

Destination xlate exists: This can be checked using the output of show xlate detail. It will show you something like this:

NAT from oustide:2.2.2.2 to inside:2.2.2.2

This means when this packet comes in on the inside interface and destination IP is 2.2.2.2, the ASA decides based on the above entry that the egress 
interface is outside.

Please note that this generally comes up in cases when wehvae dynamic NAT from outside to inside. Consider the below scenario. We have an inside 
server at 10.1.1.10 translted to 1.1.1.1 on the outside. A host on the outside with an IP address of 2.2.2.2 is accessing this server with the IP 1.1.1.1. 
Also the inside interface IP of the ASA is 10.1.1.1.

10.1.1.10------10.1.1.1(inside)ASA(outside)---------2.2.2.2

static (inside,outside) 1.1.1.1 10.1.1.10

We have the below commads as well on the ASa to PAT the outside IP to inside interface IP address.

nat (outside) 1 2.2.2.2 netmask 255.255.255.255 outside
global (inside) 1 interface

Now let's walk through the packet flow:

1) ASA receives a packet on the outside interface with source ip as 2.2.2.2 on tcp/1024 and destination ip as 1.1.1.1 on tcp/80. Now, the ASA checks

(based on the output of show xlate) if there exists a NAT for combination tcp 1.1.1.1/80. We will not see one on the ASA. So it now goes ot the next step of checking if there is a static for 1.1.1 on the outside interface.

Since we have the static in place, the ASa will decide that the egress interface is "inside" and the destination IP is to be "un"translated to 10.1.1.10. Also, the ASA does a source translation for the source IP of 2.2.2.2 to the inside interface of 10.1.1.1 and adds an xlate entry on the ASA as below:

TCP PAT from outside:2.2.2.2/1024 to inside: 10.1.1.1/2458 (i am assuming random port numbers here).

2) when the server replies back to the host, it will reply back to the ip 10.1.1.1 becasue of the PAT we have done. So now, the ASA checks if 10.1.1.1/2458 is in its xlate table (verified using show xlate) and this will tell the ASA that this has to be redirected to outside interface and translated to 2.2.2.2/1024. in this case it does not even go to checking the static for deciding the egress interface.

Following this, the ASA will again translate the source IP of 10.1.1.10 to 1.1.1.1 and send the packet out and the cycle continues.

Hope this clears your questions on route looup!! Lemme know if somehting is unclear.

Cheers,

Prapanch

Go to solution
jvardhan29
Level 1
Level 1
In response to praprama

‎12-25-2010 12:43 PM

thanks prapanch .thats what i was looking for

In your below statement

"Now, the ASA checks (based on the output of show xlate) if there exists a NAT for combination tcp 1.1.1.1/80. We will not see one on the ASA. So it now goes ot the next step of checking if there is a static for 1.1.1 on the outside interface.Since we have the static in place, the ASa will decide that the egress interface is "inside" and the destination IP is to be "un"translated to 10.1.1.10"

a) what i think for above is as soon as we put static in ASA , xlates are created immediately (doesnot require to generate some traffic like NAT) and we can see them in "sh xlate " so xlate for 1.1.1.1 will be there in ASA but xlate for combination tcp 1.1.1.1/80 will not be there . I think what you mean to say is that Static PAT (i.e NAT for combn 1.1.1.1/80) is checked first and then Static NAT . Right ?

b) in the previous posts , " route " was replaced with "translation"  by poonguzhali (mentioned below) in the statement , do u think that the original document also needs to be changed in Egress Interface Selection Process


"If  destination IP translating XLATE does not exist, but a matching static  translation exists, then the egress interface is determined from the  static translation and an XLATE is created, and the routing table is not used."

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to jvardhan29

‎12-25-2010 10:24 PM

Jayesh,

You are correct. On the ASA as soon as you put the static line in, it goes into the xlate table.

The link  probably was taken from the FWSM reference as on the FWSM as soon as you put the line into the config it doesn't show up in the xlate table, traffic needs to flow for the xlate to show up in the table.

FWSM egress interface selection process link: http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/ip_f.html#wp1118942

I will take care of correcting  the documentation as needed.

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card