I am trying to understand some use cases for NAT-Divert. Can it be used to override the routing table? Let me give an example of a case here.
Let's say I have 3 interfaces, inside, outside, outside2. I only want a specific network from the inside network to use the secondary internet connection which is outside2. Removing NAT in the picture and just pure NAT-Divert and Routing.
So my default route is pointing to outside for all other traffic. If I try to establish connectivity from vlan100 to any IP, I can see that the firewall is creating a conduit for inside,outside2 pair. That means the firewall is trying to send the traffic out to outside2 interface using NAT-divert. However, traffic fails because of this error.
ASA-6-110003: Routing failed to locate next hop
I understand that it's failing because it cannot locate the next-hop IP and MAC address.
Without using PBR on Cisco ASA, can NAT-divert work in this scenario?
By the way, I tried to manually map an ARP entry to see if this will work. Let's say I tried to ping 22.214.171.124 from VLAN100. I can see the conduit created on the session table as inside,outside2 but packet capture do not see traffic coming out of the outside2 interface. So I tried to map 126.96.36.199 to let's say the MAC address of the possible next-hop of outside2. The ASA-6-110003 error from the logs disappeared but still not traffic being released to outside.
Learn about the rapidly evolving cyberthreat landscape and how both organizations and users can protect themselves as we transition to a forever hybrid world through a conversation with Cisco Talos Security Research Leader for Europe, Middle East, Africa,...
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...