How CISCO ASA chooses out interface

When Cisco routers are routed first, when Nat first may be known, inside is routed first, outside is first Nat.

Well, for Cisco ASA, it is not the case, most of the first to find the route if the data from inside, in both cases Nat will first route to confirm the interface.

1. Did the purpose NAT conversion

2. Static NAT session exists

Once you know this feature, let's look at the following two cases

1. CISCO ASA does not have PBR function, but it can still do two-line shunt

2. ASA 8.3 Above version does a l2l VPN after the tunnel management firewall, that is, the management inside interface

For the first question, the following topology is explained below

Asa interface outside IP 200.1.1.1 Telecom, set default route to main route outside 0 0 200.1.1.2

Asa interface Backup IP 200.2.2.1 Unicom, set default route for backup route backup 0 0 200.2.2.2

Asa interface inside IP 192.168.1.1 as intranet access

Requirements: Intranet access Http/https/dns/ftp Unicom, other including VPN all go Telecom

First set up the intranet network:

Nat (inside) 1 0 0

Global (outside) 1 interface

Global (Backup) 1 interface

Access-list outside_access_in permit ICMP any any echo-reply

Access-list backup_access_in permit ICMP any any echo-reply

Access-group outside_access_in in interface outside

Access-group backup_access_in in interface backup

Next through the NAT to distinguish the network data which interface go out, rather than through the route choice, because this time the routing table only has the default route of telecommunications, unicom because of high priority and not in the routing table!

Static (Backup,inside) TCP 0.0.0.0 80 0.0.0.0 80

Static (backup,inside) TCP 0.0.0.0 443 0.0.0.0 443

Static (Backup,inside) TCP 0.0.0.0 21 0.0.0.0 21

Static (Backup,inside) TCP 0.0.0.0 53 0.0.0.0 53

Static (Backup,inside) UDP 0.0.0.0 53 0.0.0.0 53

These statements indicate that all http/https/21/53 from inside need to be accessed through backup, which satisfies the condition 1 I mentioned above, then the inside data does not look at the routing table. Directly through this NAT statement know that the interface is backup and not the normal case of outside!

In this way, the link bandwidth is not equal and load, there is interest in children's shoes can be seen through the Packet-tracer packet is how the process, is not a priority through the NAT to determine the interface.

For the second question

We all know that two ASA do L2L VPN, plus management-access inside can be telnet or SSH remote management to the end ASA inside interface. The same configuration will not work if you do this on more than 8.3, because NAT priority routing is the reason. A case to explain the next

192.168.1.0----inside ASA1 outside 200.1.1.1-----ISP----200.2.2.1 outside ASA2 inside 192.168.2.1

As on the topology, if the ASA8.3 version of the previous identity NAT is Anza by default, but after 8.3 is the default check Nat.

ASA1 192.168.1.0 access 192.168.2.1, the packet to the ASA2 first through the NAT confirmed that the interface is inside, and then the packet will be sent to the 192.168.2.0 LAN and will not be back to the packet.

So when we do more than 8.3 versions of the VPN need to manage the peer ASA device, you need to add the Route-lookup keyword after the identity nat to Let it first find the route.

Kingjuniper

This article is from the "Kingjuniper" blog, make sure to keep this source http://kingjuniper.blog.51cto.com/10445011/1665556

How CISCO ASA chooses out interface