Hi,

fatalXerror · ‎03-10-2016

Hi Guys,

Good Day!

Just want to know if you also have an issue regarding the ASA not performing routing but instead using its NAT configuration for it to route the traffic. I have a NAT from DMZ to ISP with any any in its criteria however, we already have more specific route configured in the ASA as static going to the inside zone of the ASA.

Can you enlightened us what happened?

Thanks.

Aditya Ganjoo · ‎03-10-2016

Hi,

In newer codes if you use a route-lookup keyword it may take preference.

Check this link:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc11

Regards,

Aditya

Please rate helpful posts.

fatalXerror · ‎03-10-2016

Hi Aditya,

Good Day!

Do you know what is the start ASA IOS that introduced this changed? Because we upgraded the ASA from version 8.4(4)9 to version 8.4(7)30.

Thanks

Aditya Ganjoo · ‎03-10-2016

Hi,

It was done from 8.3 code.

May I know which NAT statement is getting affected by this ?

Regards,

Aditya

fatalXerror · ‎03-10-2016

Hi Aditya,

Good Day!

Do you know why it was only affected the time we upgraded if the this NAT new coding starts at 8.3? Our previous version is 8.4(4)9 which means it has already the new NAT rule code.

Thanks

fatalXerror · ‎03-10-2016

Hi Aditya,

Good Day!

The affected once are with the "any any" in its NAT.

Thanks.

Aditya Ganjoo · ‎03-10-2016

Hi,

By any any you mean the interfaces ?

If yes i would recommend to be more specific.

Regards,

Aditya

fatalXerror · ‎03-10-2016

Hi Aditya,

Good Day!

The interface are from DMZ to ISP then the destination is in any any. Also, the static route goes to the inside zone.

Do you have any idea why it only happened after the upgrade even though the NAT change of behaviour was intriduced in 8.3 version?

Thanks.

Aditya Ganjoo · ‎03-10-2016

Hi,

Could you please share the packet tracer output of the affected traffic ?

Regards,

Aditya

Issue on Routing or NAT after ASA Upgrade?