Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
2
Replies

Asymetric routing

german.a.chialli
Level 1
Level 1

‎07-01-2010 05:55 PM - edited ‎03-11-2019 11:06 AM

Hi,

I have a doubt and I hope someone can help me to clarify it.

I have two hosts that are asymmetically routed between them. Traffic from A to B enters firewall 1 through interface Inside, and then reaches B going out on interface Outside. Then, return traffic from host B goes back to A through firewall 1 entering on interface Outside, but due to an old static route, goes out firewall 1 on interface Old_Inside. The path taken after this is different, and there is an additional firewall in the middle.

My first thought was this is not gonna work. But surprisingly it works. I was expecting that the second firewall will see a packet from B to A without having a session established and then it would drop it. I set a capture there to see that, but it is not capturing anything.

My guess is that traffic from B to A is not going out firewall 1 through Old_Inside, and that actually it is going out through Inside. The reason for that would be that the firewall doesn't perform a route lookup for the returning traffic. It just forward it based on the session that is established.

Is this correct?

Thanks!

German

Labels:
0 Helpful
2 Replies 2

andrew.prince
Level 10
Level 10

‎07-02-2010 05:50 AM

Well it could work even going out the interface Old_Inside, and passing thru another firewall....all depends on how the other firewall is configured.  check the routes in the firewall to confirm which interface the return traffic will take.

All devices perform unicast route lookup, all network devices need a next hop.

HTH>

0 Helpful

Kevin Redmon
Cisco Employee
Cisco Employee

‎07-02-2010 06:00 AM

German,

The order of operations for translations on an ASA/PIX/FWSM prior to 8.3 is:

1.) nat 0 with access-list

2.) existing xlates -> this is where you are

3.) match static commands (first match)

  static NAT with/without access-list

  static PAT with/without access-list

4.) match nat commands

  nat access-list (first match)

  nat

(best match)

The xlate in this case was formed outbound and was re-used inbound - passing the traffic towards the "Inside" interface ("ignoring" the route or other static).  If this was an new connection from the outside, it would use the static statement (as there are no existing xlates) and will egress the "Old_Inside".

Hope this helps!  If this answers your questions, please let me know.

Best Regards,

Kevin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card