ASA9.1 how to use route-lookup instead of "NAT-lookup" for egress interface on non-identity NAT

guibarati · ‎05-06-2014

Hi,

I have an ASA firewall with three interfaces, inside, outside and Link.

I have a situation where I need the ASA to perform the following nat rules:

from "Inside" to "Link" - any source to destination 192.168.51.0/24 - translate source to 10.0.0.19

from "inside" to "outside" - any source to any destination - translate source to "interface" (internet navigation)

from "inside" to "outside" any source to 192.168.51.0/24 - translete source to 10.0.0.17

This is what I am trying to get working:

nat (any,TEF) source dynamic any 130.130.0.19_nat destination static obj_192.168.51.0 obj_192.168.51.0
nat (any,outside) source dynamic any 130.130.0.17_nat destination static obj_192.168.51.0 obj_192.168.51.0

The problem is that the "outside" route to 192.168.51.0 is an alternative route over a VPN tunnel. I'm using sla monitor, so when the "Link" interface is out, the route table changes the network 192.168.51.0/24 to be reachable over the outside interface. but ASA is using the NAT rule to perform "egress interface lookup" instead of route-lookup.

I know about the command route-lookup on the NAT configuration, but I need to translate the source address and when I try to use the route-lookup command I get an error message:

ERROR: Option route-lookup is only allowed for static identity case

Anybody has some suggestion?

Thanks

Julio Carvajal · ‎05-08-2014

First of all I should say never use the any keyword in the NAT interface listing as that can cause problems, even in this case when it seems to be useful to decrease the amount of lines.

In order to see the route-lookup option you must specificy both the source interface and destination interface,

Give it a try

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

guibarati · ‎05-09-2014

Hi Julio,

Thank you for the reply.

It didn't work either.

Here are the options I get when I use the specific interfaces (using "source dynamic"):

configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
net-to-net Net to net mapping of IPv4 to IPv6
service NAT service parameters

If I try to use source static:

nat (inside,TEF) source static inside_nat 130.130.0.19_nat destination static obj_192.168.51.0 obj_192.168.51.0 route-lookup

ERROR: Option route-lookup is only allowed for static identity case

Louis Van Zyl · ‎10-10-2015

Hi, did you perhaps get a sollution for this problem of yours? I just ran into similar issues.

Rishabh Seth · ‎10-10-2015

Hi Louis,

Did you try route-lookup keyword in your NAT statement? (If there is static NAT present for some traffic then ASA decides egress interface based on the NAT statement. This behaviour can be altered per NAT rule basis by using "route lookup" keyword in NAT rule).

Share the NAT rule you are trying to implement and let us know the ASA software version running on your ASA.

Thanks,

R.Seth

guibarati · ‎10-11-2015

The ASA only allows "route-lookup" for identity NAT statement.

If you are effectively trying to NAT the traffic to ip A going out of the outside to destination B and NAT to C if going out of "Partner-link" to destination B you can't use route-lookup.

Louis Van Zyl · ‎10-11-2015

yes, the "route-lookup" option is only available for identity NATs

is there perhaps a way to globaly disable the NAT check to determine the exit interface? (in other words globaly enable route-lookup)

Im replacing a ASA5520 (8.2.5) with a ASA5516X(9.5.1). In the old config the client has static NATs that translates an internal IP to the same public IP when it exits 4 interfaces. Now when I migrate that configs I have an issue that the correct exit interface is not selected, because it uses an existing Xlate entry. I want it to rather use the routing table (the old way)

guibarati · ‎10-12-2015

If you don't need to tie the config by the destination. If it will always translate you can use the object nat instead of "manual" nat.

guibarati · ‎10-11-2015

I was able to use dynamic object NAT for one of the interfaces.

One option may be to create two ranges: 1.1.1.1-10.10.9.255 and 10.10.11.0-255.255.255.255.

These two ranges exclude 10.10.10.0/24 for example. So you could create your internet NATing when the destination networks are these two ranges. Effectively you will will nat for everything except 10.10.10.0/24. So you could create two object NAT for the source 10.10.10.0/24 one per outgoing interface. And this kind of NAT doesn't force the traffic to the interface, it works if the routing table sends traffic out of that interface.