Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ASA9.1 how to use route-lookup instead of "NAT-lookup" for egress interface on non-identity NAT



I have an ASA firewall with three interfaces, inside, outside and Link.

I have a situation where I need the ASA to perform the following nat rules:

from "Inside" to "Link" - any source to destination - translate source to

from "inside" to "outside" - any source to any destination - translate source to "interface" (internet navigation)

from "inside" to "outside" any source to - translete source to

This is what I am trying to get working:

nat (any,TEF) source dynamic any destination static obj_192.168.51.0 obj_192.168.51.0
nat (any,outside) source dynamic any destination static obj_192.168.51.0 obj_192.168.51.0


The problem is that the "outside" route to is an alternative route over a VPN tunnel. I'm using sla monitor, so when the "Link" interface is out, the route table changes the network to be reachable over the outside interface. but ASA is using the NAT rule to perform "egress interface lookup" instead of route-lookup.

I know about the command route-lookup on the NAT configuration, but I need to translate the source address and when I try to use the route-lookup command I get an error message:

ERROR: Option route-lookup is only allowed for static identity case


Anybody has some suggestion?




First of all I should say

First of all I should say never use the any keyword  in the NAT interface listing as that can cause problems, even in this case when it seems to be useful to decrease the amount of lines.


In order to see the route-lookup option you must specificy both the source interface and destination interface,


Give it a try


Julio Carvajal
Senior Network Security and Core Specialist

Hi Julio, Thank you for the

Hi Julio,


Thank you for the reply.

It didn't work either.

Here are the options I get when I use the specific interfaces (using "source dynamic"):

configure mode commands/options:
  description  Specify NAT rule description
  inactive     Disable a NAT rule
  net-to-net   Net to net mapping of IPv4 to IPv6
  service      NAT service parameters

If I try to use source static:

 nat (inside,TEF) source static inside_nat destination static obj_192.168.51.0 obj_192.168.51.0 route-lookup

ERROR: Option route-lookup is only allowed for static identity case


New Member

Hi, did you perhaps get a

Hi, did you perhaps get a sollution for this problem of yours?  I just ran into similar issues. 

Hi Louis,Did you try route

Hi Louis,

Did you try route-lookup keyword in your NAT statement? (If there is static NAT present for some traffic then ASA decides egress interface based on the NAT statement. This behaviour can be altered per NAT rule basis by using "route lookup" keyword in NAT rule).

Share the NAT rule you are trying to implement and let us know the ASA software version running on your ASA.




The ASA only allows "route

The ASA only allows "route-lookup" for identity NAT statement.

If you are effectively trying to NAT the traffic to ip A going out of the outside to destination B and NAT to C if going out of "Partner-link" to destination B you can't use route-lookup.

New Member

yes, the "route-lookup"

yes, the "route-lookup" option is only available for identity NATs


is there perhaps a way to globaly disable the NAT check to determine the exit interface? (in other words globaly enable route-lookup)


Im replacing a ASA5520 (8.2.5) with a ASA5516X(9.5.1).  In the old config the client has static NATs that translates an internal IP to the same public IP when it exits 4 interfaces.  Now when I migrate that configs I have an issue that the correct exit interface is not selected, because it uses an existing Xlate entry.  I want it to rather use the routing table (the old way)


If you don't need to tie the

If you don't need to tie the config by the destination. If it will always translate you can use the object nat instead of "manual" nat.


I was able to use dynamic

I was able to use dynamic object NAT for one of the interfaces.

One option may be to create two ranges: and

These two ranges exclude for example. So you could create your internet NATing when the destination networks are these two ranges. Effectively you will will nat for everything except So you could create two object NAT for the source one per outgoing interface. And this kind of NAT doesn't force the traffic to the interface, it works if the routing table sends traffic out of that interface.

CreatePlease to create content