Asymetric routing

Unanswered Question
Jul 1st, 2010

Hi,

I have a doubt and I hope someone can help me to clarify it.

I have two hosts that are asymmetically routed between them. Traffic from A to B enters firewall 1 through interface Inside, and then reaches B going out on interface Outside. Then, return traffic from host B goes back to A through firewall 1 entering on interface Outside, but due to an old static route, goes out firewall 1 on interface Old_Inside. The path taken after this is different, and there is an additional firewall in the middle.

My first thought was this is not gonna work. But surprisingly it works. I was expecting that the second firewall will see a packet from B to A without having a session established and then it would drop it. I set a capture there to see that, but it is not capturing anything.

My guess is that traffic from B to A is not going out firewall 1 through Old_Inside, and that actually it is going out through Inside. The reason for that would be that the firewall doesn't perform a route lookup for the returning traffic. It just forward it based on the session that is established.

Is this correct?

Thanks!

German

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Well it could work even going out the interface Old_Inside, and passing thru another firewall....all depends on how the other firewall is configured.  check the routes in the firewall to confirm which interface the return traffic will take.

All devices perform unicast route lookup, all network devices need a next hop.

HTH>

Kevin Redmon Fri, 07/02/2010 - 06:00

German,

The order of operations for translations on an ASA/PIX/FWSM prior to 8.3 is:

1.) nat 0 with access-list

2.) existing xlates -> this is where you are

3.) match static commands (first match)

  static NAT with/without access-list

  static PAT with/without access-list

4.) match nat commands

  nat access-list (first match)

  nat (best match)

The xlate in this case was formed outbound and was re-used inbound - passing the traffic towards the "Inside" interface ("ignoring" the route or other static).  If this was an new connection from the outside, it would use the static statement (as there are no existing xlates) and will egress the "Old_Inside".

Hope this helps!  If this answers your questions, please let me know.

Best Regards,

Kevin

Actions

This Discussion