NAT divert (U-NAT)

shawnseter · ‎08-30-2017

Hey all,

Somewhat of a silly question when it comes to identity NAT rules, which cause the ASA to use NAT divert instead of the routing rable. How does the ASA determine the next-hop IP address in this scenario?

We currently are dual homing our ASA to two different ASRs (separate subnets), but we are going to switch to using one external interface on the ASA, and putting the two ASRs all on the same network, I will then be advertising two default routes from each ASR to the ASA. I'm just curious to see how our NAT divert rules will work after this change is made, since there will be two potential next-hop addresses, and since the ASA doesn't consult the routing table, it won't acknowledge route preference or anything.

So how will this work? How will the ASA choose 1 of the 2 possible next-hop IP addresses? Will this cause routing issues because the ASA won't be able to look up EIGRP metrics, since it's not using the routing table? Any insight is appreciated!

Flavio Miranda · ‎09-04-2017

Hello,

Which ASA version do you have. This document offer an workaround for your situation:

"
Since the presence of the NAT rule in the configuration forces the traffic to divert to the wrong interface, configuration lines needs to be removed temporarily in order to work around the problem. You can enter the "no" form of the specific NAT line, however this manual intervention might take time and and an outage could be faced. In order to speed up the process, the task needs to be automated in some fashion. This can be achieved with the EEM feature introduced in ASA Release 9.2.1."