05-06-2014 01:15 PM - edited 03-11-2019 09:10 PM
Hi,
I have an ASA firewall with three interfaces, inside, outside and Link.
I have a situation where I need the ASA to perform the following nat rules:
from "Inside" to "Link" - any source to destination 192.168.51.0/24 - translate source to 10.0.0.19
from "inside" to "outside" - any source to any destination - translate source to "interface" (internet navigation)
from "inside" to "outside" any source to 192.168.51.0/24 - translete source to 10.0.0.17
This is what I am trying to get working:
nat (any,TEF) source dynamic any 130.130.0.19_nat destination static obj_192.168.51.0 obj_192.168.51.0
nat (any,outside) source dynamic any 130.130.0.17_nat destination static obj_192.168.51.0 obj_192.168.51.0
The problem is that the "outside" route to 192.168.51.0 is an alternative route over a VPN tunnel. I'm using sla monitor, so when the "Link" interface is out, the route table changes the network 192.168.51.0/24 to be reachable over the outside interface. but ASA is using the NAT rule to perform "egress interface lookup" instead of route-lookup.
I know about the command route-lookup on the NAT configuration, but I need to translate the source address and when I try to use the route-lookup command I get an error message:
ERROR: Option route-lookup is only allowed for static identity case
Anybody has some suggestion?
Thanks
05-08-2014 05:49 AM
First of all I should say never use the any keyword in the NAT interface listing as that can cause problems, even in this case when it seems to be useful to decrease the amount of lines.
In order to see the route-lookup option you must specificy both the source interface and destination interface,
Give it a try
05-09-2014 08:28 AM
Hi Julio,
Thank you for the reply.
It didn't work either.
Here are the options I get when I use the specific interfaces (using "source dynamic"):
configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
net-to-net Net to net mapping of IPv4 to IPv6
service NAT service parameters
If I try to use source static:
nat (inside,TEF) source static inside_nat 130.130.0.19_nat destination static obj_192.168.51.0 obj_192.168.51.0 route-lookup
ERROR: Option route-lookup is only allowed for static identity case
10-10-2015 04:54 PM
Hi, did you perhaps get a sollution for this problem of yours? I just ran into similar issues.
10-10-2015 10:17 PM
Hi Louis,
Did you try route-lookup keyword in your NAT statement? (If there is static NAT present for some traffic then ASA decides egress interface based on the NAT statement. This behaviour can be altered per NAT rule basis by using "route lookup" keyword in NAT rule).
Share the NAT rule you are trying to implement and let us know the ASA software version running on your ASA.
Thanks,
R.Seth
10-11-2015 05:48 AM
The ASA only allows "route-lookup" for identity NAT statement.
If you are effectively trying to NAT the traffic to ip A going out of the outside to destination B and NAT to C if going out of "Partner-link" to destination B you can't use route-lookup.
10-11-2015 11:09 PM
yes, the "route-lookup" option is only available for identity NATs
is there perhaps a way to globaly disable the NAT check to determine the exit interface? (in other words globaly enable route-lookup)
Im replacing a ASA5520 (8.2.5) with a ASA5516X(9.5.1). In the old config the client has static NATs that translates an internal IP to the same public IP when it exits 4 interfaces. Now when I migrate that configs I have an issue that the correct exit interface is not selected, because it uses an existing Xlate entry. I want it to rather use the routing table (the old way)
10-12-2015 05:33 AM
If you don't need to tie the config by the destination. If it will always translate you can use the object nat instead of "manual" nat.
10-11-2015 05:45 AM
I was able to use dynamic object NAT for one of the interfaces.
One option may be to create two ranges: 1.1.1.1-10.10.9.255 and 10.10.11.0-255.255.255.255.
These two ranges exclude 10.10.10.0/24 for example. So you could create your internet NATing when the destination networks are these two ranges. Effectively you will will nat for everything except 10.10.10.0/24. So you could create two object NAT for the source 10.10.10.0/24 one per outgoing interface. And this kind of NAT doesn't force the traffic to the interface, it works if the routing table sends traffic out of that interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide