I am trying to understand some use cases for NAT-Divert. Can it be used to override the routing table? Let me give an example of a case here.
Let's say I have 3 interfaces, inside, outside, outside2. I only want a specific network from the inside network to use the secondary internet connection which is outside2. Removing NAT in the picture and just pure NAT-Divert and Routing.
So my default route is pointing to outside for all other traffic. If I try to establish connectivity from vlan100 to any IP, I can see that the firewall is creating a conduit for inside,outside2 pair. That means the firewall is trying to send the traffic out to outside2 interface using NAT-divert. However, traffic fails because of this error.
ASA-6-110003: Routing failed to locate next hop
I understand that it's failing because it cannot locate the next-hop IP and MAC address.
Without using PBR on Cisco ASA, can NAT-divert work in this scenario?
By the way, I tried to manually map an ARP entry to see if this will work. Let's say I tried to ping 220.127.116.11 from VLAN100. I can see the conduit created on the session table as inside,outside2 but packet capture do not see traffic coming out of the outside2 interface. So I tried to map 18.104.22.168 to let's say the MAC address of the possible next-hop of outside2. The ASA-6-110003 error from the logs disappeared but still not traffic being released to outside.
Hello! I run 22.214.171.124.When I click download updates in ASDM I get:Download updates failed: Peer certificate cannot be authenticated with known CA certificates I have 3 identical devices and all of them have the same problem.. How can I fix ...
You would like to use the ASA Firewall Umbrella Connector to enforce DNS policy with Umbrella. However you would also like to exclude certain IP addresses or subnets from using this policy. I recently had the need to do this, had a bit of tro...
Hi Everyonem Just wondering if anyone knows why I am getting an error that says "Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect. Please contact your network administrator.". See attached...
The Cisco 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing topics: the impact of vendor consolidation, cybersecurity fatigue, outsourcing, top causes of downtime, the most impactful threats, and more. The repo...
Hi, Has anyone run into the "Channel down" issue when updating the identity certificate on the Stealthwatch SMCv and SFCv. I'm doing a POC for a client and every time I go an update the identity cert the SMC says "it could save the configuration" and...