ASA9.1 how to use route-lookup instead of "NAT-lookup" for egress interface on non-identity NAT
I have an ASA firewall with three interfaces, inside, outside and Link.
I have a situation where I need the ASA to perform the following nat rules:
from "Inside" to "Link" - any source to destination 192.168.51.0/24 - translate source to 10.0.0.19
from "inside" to "outside" - any source to any destination - translate source to "interface" (internet navigation)
from "inside" to "outside" any source to 192.168.51.0/24 - translete source to 10.0.0.17
This is what I am trying to get working:
nat (any,TEF) source dynamic any 184.108.40.206_nat destination static obj_192.168.51.0 obj_192.168.51.0 nat (any,outside) source dynamic any 220.127.116.11_nat destination static obj_192.168.51.0 obj_192.168.51.0
The problem is that the "outside" route to 192.168.51.0 is an alternative route over a VPN tunnel. I'm using sla monitor, so when the "Link" interface is out, the route table changes the network 192.168.51.0/24 to be reachable over the outside interface. but ASA is using the NAT rule to perform "egress interface lookup" instead of route-lookup.
I know about the command route-lookup on the NAT configuration, but I need to translate the source address and when I try to use the route-lookup command I get an error message:
ERROR: Option route-lookup is only allowed for static identity case
Did you try route-lookup keyword in your NAT statement? (If there is static NAT present for some traffic then ASA decides egress interface based on the NAT statement. This behaviour can be altered per NAT rule basis by using "route lookup" keyword in NAT rule).
Share the NAT rule you are trying to implement and let us know the ASA software version running on your ASA.
yes, the "route-lookup" option is only available for identity NATs
is there perhaps a way to globaly disable the NAT check to determine the exit interface? (in other words globaly enable route-lookup)
Im replacing a ASA5520 (8.2.5) with a ASA5516X(9.5.1). In the old config the client has static NATs that translates an internal IP to the same public IP when it exits 4 interfaces. Now when I migrate that configs I have an issue that the correct exit interface is not selected, because it uses an existing Xlate entry. I want it to rather use the routing table (the old way)
I was able to use dynamic object NAT for one of the interfaces.
One option may be to create two ranges: 18.104.22.168-10.10.9.255 and 10.10.11.0-255.255.255.255.
These two ranges exclude 10.10.10.0/24 for example. So you could create your internet NATing when the destination networks are these two ranges. Effectively you will will nat for everything except 10.10.10.0/24. So you could create two object NAT for the source 10.10.10.0/24 one per outgoing interface. And this kind of NAT doesn't force the traffic to the interface, it works if the routing table sends traffic out of that interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :