Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asymetric routing


I have a doubt and I hope someone can help me to clarify it.

I have two hosts that are asymmetically routed between them. Traffic from A to B enters firewall 1 through interface Inside, and then reaches B going out on interface Outside. Then, return traffic from host B goes back to A through firewall 1 entering on interface Outside, but due to an old static route, goes out firewall 1 on interface Old_Inside. The path taken after this is different, and there is an additional firewall in the middle.

My first thought was this is not gonna work. But surprisingly it works. I was expecting that the second firewall will see a packet from B to A without having a session established and then it would drop it. I set a capture there to see that, but it is not capturing anything.

My guess is that traffic from B to A is not going out firewall 1 through Old_Inside, and that actually it is going out through Inside. The reason for that would be that the firewall doesn't perform a route lookup for the returning traffic. It just forward it based on the session that is established.

Is this correct?




Re: Asymetric routing

Well it could work even going out the interface Old_Inside, and passing thru another firewall....all depends on how the other firewall is configured.  check the routes in the firewall to confirm which interface the return traffic will take.

All devices perform unicast route lookup, all network devices need a next hop.


Cisco Employee

Re: Asymetric routing


The order of operations for translations on an ASA/PIX/FWSM prior to 8.3 is:

1.) nat 0 with access-list

2.) existing xlates -> this is where you are

3.) match static commands (first match)

  static NAT with/without access-list

  static PAT with/without access-list

4.) match nat commands

  nat access-list (first match)


(best match)

The xlate in this case was formed outbound and was re-used inbound - passing the traffic towards the "Inside" interface ("ignoring" the route or other static).  If this was an new connection from the outside, it would use the static statement (as there are no existing xlates) and will egress the "Old_Inside".

Hope this helps!  If this answers your questions, please let me know.

Best Regards,