10-22-2019 04:27 AM
My setup is exactly what is explained here:
My problem (which off course is now resolved) is : I can't SSH / ASDM to inside interface of the firewall, the solution was to enable 'route lookup' at the end of NAT, this is fine and working.
(From the link above)
nat (inside,outside) source static obj_192.168.10.0 obj_192.168.10.0 destination
static obj_172.18.124.0 obj_172.18.124.0 no-proxy-arp route-lookup
!--- Configures a default route towards the gateway router.
route outside 0.0.0.0 0.0.0.0 198.51.100.252 1
What I don't understand is, what difference does it make to enable 'route lookup' if there is only one default route on the firewall? Correct me if I am wrong, but if I don't enable 'route-lookup', it will use the outside interface in the nat, which I think will naturally forward traffic to default gateway? If not, how is packet routed when route-lookup is not enabled?
Solved! Go to Solution.
10-22-2019 09:51 AM - edited 10-22-2019 09:52 AM
There are few scenarios where you want to use route-lookup , go through these notes below - see under "Configuring Identity NAT " purpose notes " Determining the Egress Interface" section , it explains it all
10-22-2019 12:02 PM
What is under the object definition VPN_LOCAL and VPN_REMOTE?
One of the problems that I usually see is when there is an overlap between the source and destination networks. Since identity NAT is bidirectional in nature, you could match the rule in the reverse direction causing it to route it to the wrong interface.
So in your case, say both VPN_LOCAL and VPN_REMOTE are the same, say 10.0.0.0/8. This means your rule can be interpreted in two ways:
nat (inside,outside) source static VPN_LOCAL VPN_LOCAL destination static VPN_REMOTE VPN_REMOTE no-proxy-arp or nat (inside,outside) source static VPN_REMOTE VPN_REMOTE destination static VPN_LOCAL VPN_LOCAL no-proxy-arp
10-22-2019 09:51 AM - edited 10-22-2019 09:52 AM
There are few scenarios where you want to use route-lookup , go through these notes below - see under "Configuring Identity NAT " purpose notes " Determining the Egress Interface" section , it explains it all
10-22-2019 09:54 AM
What does your NAT config look like?
The route-lookup keyword is used when you want the ASA to use the routing table to determine the egress interface instead of the nat rule. So, for example, if your rule has (inside, any), it could translate to (inside, inside) or (inside, outside). The route-lookup is meant to avoid that ambiguity and let the routing table take care of finding the egress interface.
10-22-2019 11:01 AM
Thanks. I understand that route lookup tells ASA to check the routing table, but if route lookup is not enabled and I have just one nat and default route, how does it make a difference?
My NAT
nat (inside,outside) source static VPN_LOCAL VPN_LOCAL destination static VPN_REMOTE VPN_REMOTE no-proxy-arp route-lookup
10-22-2019 12:02 PM
What is under the object definition VPN_LOCAL and VPN_REMOTE?
One of the problems that I usually see is when there is an overlap between the source and destination networks. Since identity NAT is bidirectional in nature, you could match the rule in the reverse direction causing it to route it to the wrong interface.
So in your case, say both VPN_LOCAL and VPN_REMOTE are the same, say 10.0.0.0/8. This means your rule can be interpreted in two ways:
nat (inside,outside) source static VPN_LOCAL VPN_LOCAL destination static VPN_REMOTE VPN_REMOTE no-proxy-arp or nat (inside,outside) source static VPN_REMOTE VPN_REMOTE destination static VPN_LOCAL VPN_LOCAL no-proxy-arp
10-29-2019 03:25 AM
Thanks Govindan, this makes sense.
The Subnets are overlapping, the local subnet is 10.35.15.0 the remote subnet is 10.0.0.0/8
10-30-2019 11:32 PM
Thanks Rahul, it makes to understand it, and I request you to hook me up with a document or something that I can understand this concept end to end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide