How CISCO ASA chooses out interface

Source: Internet
Author: User

When Cisco routers are routed first, when Nat first may be known, inside is routed first, outside is first Nat.

Well, for Cisco ASA, it is not the case, most of the first to find the route if the data from inside, in both cases Nat will first route to confirm the interface.

    1. Did the purpose NAT conversion

    2. Static NAT session exists

Once you know this feature, let's look at the following two cases

    1. CISCO ASA does not have PBR function, but it can still do two-line shunt

    2. ASA 8.3 Above version does a l2l VPN after the tunnel management firewall, that is, the management inside interface

For the first question, the following topology is explained below

Asa interface outside IP Telecom, set default route to main route outside 0 0

Asa interface Backup IP Unicom, set default route for backup route backup 0 0

Asa interface inside IP as intranet access

Requirements: Intranet access Http/https/dns/ftp Unicom, other including VPN all go Telecom

First set up the intranet network:

Nat (inside) 1 0 0

Global (outside) 1 interface

Global (Backup) 1 interface

Access-list outside_access_in permit ICMP any any echo-reply

Access-list backup_access_in permit ICMP any any echo-reply

Access-group outside_access_in in interface outside

Access-group backup_access_in in interface backup

Next through the NAT to distinguish the network data which interface go out, rather than through the route choice, because this time the routing table only has the default route of telecommunications, unicom because of high priority and not in the routing table!

Static (Backup,inside) TCP 80 80

Static (backup,inside) TCP 443 443

Static (Backup,inside) TCP 21 21

Static (Backup,inside) TCP 53 53

Static (Backup,inside) UDP 53 53

These statements indicate that all http/https/21/53 from inside need to be accessed through backup, which satisfies the condition 1 I mentioned above, then the inside data does not look at the routing table. Directly through this NAT statement know that the interface is backup and not the normal case of outside!

In this way, the link bandwidth is not equal and load, there is interest in children's shoes can be seen through the Packet-tracer packet is how the process, is not a priority through the NAT to determine the interface.

For the second question

We all know that two ASA do L2L VPN, plus management-access inside can be telnet or SSH remote management to the end ASA inside interface. The same configuration will not work if you do this on more than 8.3, because NAT priority routing is the reason. A case to explain the next ASA1 outside outside ASA2 inside

As on the topology, if the ASA8.3 version of the previous identity NAT is Anza by default, but after 8.3 is the default check Nat.

ASA1 access, the packet to the ASA2 first through the NAT confirmed that the interface is inside, and then the packet will be sent to the LAN and will not be back to the packet.

So when we do more than 8.3 versions of the VPN need to manage the peer ASA device, you need to add the Route-lookup keyword after the identity nat to Let it first find the route.


This article is from the "Kingjuniper" blog, make sure to keep this source

How CISCO ASA chooses out interface

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.