Cisco ASA - Traffic Sent Out Incorrect Interface Due to NAT
Lets consider the following scenario. We have a firewall with 3 interfaces, Outside, Inside and DMZ. When traffic is sent to the DMZ segment, the NAT rule below is matched. This results in traffic being sent out of the outside interface, rather then out the DMZ interface. Surely this cant be right !
object-group network obj-insideips network-object host 10.1.1.45 network-object host 10.1.1.46 object network OBJ-184.108.40.206 host 220.127.116.11 object-group network obj-any network-object 0.0.0.0 0.0.0.0 nat (inside,outside) after-auto source static obj-insideips OBJ-18.104.22.168 destination static obj-any obj-any no-proxy-arp
The Cisco ASA deals with identity NAT (i.e a NAT configuration in which you need to translate an IP address to itself) in the following way,
- 8.3(1) through 8.4(1) - The routing table is always used to determine the egress interface.
- 8.4(2) and later - The NAT configuration determines the egress interface, using the NAT divert feature. This feature means that any NAT rule that has a destination address for an IP that matches an inbound packet, this results in the packet being sent out the interface defined within the NAT rule. And the routing table is bypassed.
So, in the case of our example as we were defining the destination as any, this resulted in NAT divert being triggered and in turn the routing table being bypassed.
How about non-identity NAT?
If an inbound packet matches a NAT statements destination address,
- if the destination interface IS defined within the NAT RULE then this will be used as the egress interface (again this is down to the NAT divert feature). To override this behaviour the keyword route-lookup can be appended to your NAT rule.
- if the destination interface is NOT defined within the NAT rule then the ROUTING TABLE will determine the egress interface.