08-18-2013 11:18 PM - edited 03-11-2019 07:27 PM
Hi Folks,
Can anybody comment on the below.
1. in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
regards
Rajesh
Solved! Go to Solution.
08-20-2013 10:39 AM
5 is matching the rule prior to inspection.
6 is applying inspection
7 is modifying ip addressing per Nat rule.
Sent from Cisco Technical Support Android App
08-20-2013 11:07 AM
Ok, is that 5 says, check the source and destination in NAT rules but dont apply
And 7 says, apply the nat translation for source/destination
Is that they are trying to convey ?
08-20-2013 11:15 AM
Hi,
It would seem logical to me atleast.
Though it still leaves me with a question about the L3 lookup.
The document seems to state that the translation will determine the egress interface. Yet if I have configured Dynamic PAT from one LAN interface to 2x WAN interface then the active default route determines which Dynamic PAT is applied.
So this kind of confuses me still.
- Jouni
08-20-2013 11:32 AM
5 would be checking to see if a NAT rule exists in the config PRIOR to translation to reduce overhead I would assume. There is no point in performing inspection and afterwards dropping the traffic.
6 Is applying inspection engines (mpf)
7 is THEN applying the translation. (Rewriting IP headers)
I'm not sure where the confusion is here, all connections should be understood from the Ingress > Egress standpoint. The picture under the heading ASA Packet Process Algorithm explains it beautifully on http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml
08-20-2013 11:41 AM
Hi,
I am just wondering for example the following simple example (I ignored the typical "track" and "sla" configuration that would be normally used in this situation to have the automatic failover of the default route between the ISPs.)
interface GigabitEthernet0/0
nameif ISP-1
security-level 0
ip add 1.1.1.2 255.255.255.248
interface GigabitEthernet0/1
nameif ISP-2
security-level 0
ip add 2.2.2.2 255.255.255.248
interface GigabitEthernet0/2
nameif LAN
security-level 100
ip add 10.10.10.1 255.255.255.0
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
global (ISP-1) 1 interface
global (ISP-2) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
So if we look at the document, it makes no mention of any L3 lookup except after applying the NAT configurations. In the above situation I would imagine there is a NAT that could apply for the LAN network to the direction of either ISP-1 or ISP-2.
So which ISP interfaces NAT configurations is applied if no decision egress interface has been made according to the routing table?
And if no routing table affects the NAT chosen, how exactly is the NAT chosen on the basis of the above 2 possibilities?
- Jouni
08-21-2013 02:59 AM
Hi Anthony,
We were discussing on Destination-NAT traffic flow Vs Source-NAT.
In source-NAT, as per the link which you provided, NAT will happen before Routing. What about for Destination-NAT ?
regards
Rajesh. P
08-22-2013 06:16 PM
Thanks Jay, very interesting breakdown.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide