I have a doubt and I hope someone can help me to clarify it.
I have two hosts that are asymmetically routed between them. Traffic from A to B enters firewall 1 through interface Inside, and then reaches B going out on interface Outside. Then, return traffic from host B goes back to A through firewall 1 entering on interface Outside, but due to an old static route, goes out firewall 1 on interface Old_Inside. The path taken after this is different, and there is an additional firewall in the middle.
My first thought was this is not gonna work. But surprisingly it works. I was expecting that the second firewall will see a packet from B to A without having a session established and then it would drop it. I set a capture there to see that, but it is not capturing anything.
My guess is that traffic from B to A is not going out firewall 1 through Old_Inside, and that actually it is going out through Inside. The reason for that would be that the firewall doesn't perform a route lookup for the returning traffic. It just forward it based on the session that is established.
Well it could work even going out the interface Old_Inside, and passing thru another firewall....all depends on how the other firewall is configured. check the routes in the firewall to confirm which interface the return traffic will take.
All devices perform unicast route lookup, all network devices need a next hop.
The order of operations for translations on an ASA/PIX/FWSM prior to 8.3 is:
1.) nat 0 with access-list
2.) existing xlates -> this is where you are
3.) match static commands (first match)
static NAT with/without access-list
static PAT with/without access-list
4.) match nat commands
nat access-list (first match)
nat (best match)
The xlate in this case was formed outbound and was re-used inbound - passing the traffic towards the "Inside" interface ("ignoring" the route or other static). If this was an new connection from the outside, it would use the static statement (as there are no existing xlates) and will egress the "Old_Inside".
Hope this helps! If this answers your questions, please let me know.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...