Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
0
Helpful
0
Replies

NAT Divert feature in ASA

ChristopherCraddock66504
Level 1
Level 1

‎03-30-2021 12:52 PM

Community,

 

I had a question regarding the NAT Divert feature. I am noticing some interesting behavior on my ASA 5545-X running 9.6(4)(42). I am noticing that on the Section 1 NAT rules that are configured as Unidirectional, it seems that the ASA is using the Global Routing Table for the next hop interface. But on Section 1 NAT rules that are Bidirectional, NAT Divert is taking place. Is this normal? Does NAT divert not apply to Unidirectional rules in section 1? Here is an example output of what Im seeing.

 

--Here is the NAT rule in question--

101 (DMZ_PROD) to (outside-cc) source static 172.17.88.31 cc-pat-ext-5_50.x.x.127 unidirectional
translate_hits = 333607, untranslate_hits = 0

 

--The NAT rule is in the NAT Divert Table; however it is set to "ignore"--

 

id=0x7fbfb211da90, domain=twice-nat section=1 ignore=yes
type=static, hits=0, flags=0x8d, protocol=0
src ip/id=172.17.88.31, mask=255.255.255.255, port=0-0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0-0
input_ifc=DMZ_PROD, output_ifc=outside-cc

 

I cannot find any documentation that confirms that Unidirectional NATs in section 1 are by default set to ignore NAT Divert, but the behavior seems to confirm it. Has anyone run into this before?

 

Thanks. 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card