Feb 132012
 

I found this article on PacketPushers:

Thanks to @bobmccouch who responded multiple times to my frustrated tweeting about Cisco ASA packet forwarding weirdness today. He pointed out some crucial forwarding behavior related to 8.3.1 and higher NAT, including some changes introduced as of 8.4.2. (Follow Bob. He tweets nerdy.)

So…here’s the thing. A Cisco ASA does not always determine the egress interface of a packet based on the routing table. Instead, it’s possible that a NAT rule is overriding the routing table. What Cisco says about this is as follows, taken from their official configuration documentation for the ASA:

Determining the Egress Interface

In transparent mode, the ASA determines the egress interface for a NAT packet by using the NAT configuration; you must specify the source and destination interfaces as part of the NAT configuration.

In routed mode, the ASA determines the egress interface for a NAT packet in the following way:

  • If you specify an optional interface, then the ASA uses the NAT configuration to determine the egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default behavior is to use the NAT configuration, but you have the option to always use a route lookup instead.
  • If you do not specify a specific interface, then the ASA uses a route lookup to determine the egress interface.

My scenario is a routed firewall, not transparent. So, to reword Cisco’s docs as I’m understanding them, if you’ve got a NAT rule that matches a particular packet, then the interface the translated packet will use to leave the firewall will be determined by your NAT rule destination interface (if you specified one), and NOT THE ROUTING TABLE. If you don’t like this behavior, you can use the “route-lookup” directive at the end of your NAT statement, or the comparable checkbox in ASDM “Lookup route table to locate egress interface”.

If you use identity NAT (translating a packet to itself, common with VPN firewalls), note that up through 8.4.1, the ASA would always do a route lookup to determine the egress interface. But as of 8.4.2 and higher, the ASA will not do a route lookup on identity NATs by default. Therefore, you might need to re-think your identity NAT ruleset to make sure that your NAT rules aren’t forwarding differently than what the routing table indicates, assuming that’s important to you. I’ve seen exactly this happen – traffic getting sent out the outside interface of a firewall due to a NAT rule, when intuitively the traffic should have been routing out the inside interface if the only thing weighing on the ASA’s forwarding decision was the routing table. This sort of behavior can drive someone mad until you realize that NAT has this ability to take precedence over routing depending on how the NAT rule was written.

Playing with this a bit on an ASA running 8.4.3, I found out that neither ASDM nor the CLI would let me put the “route-lookup” directive after the NAT statement unless both the source and destination interfaces were defined. If either source or destination interface were “any”, the “route-lookup” directive was simply not there.

nat (Inside,any) source static RFC1918 RFC1918 destination static Encrypt_McMurdo-Station Encrypt_McMurdo-Station ?

configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
no-proxy-arp Disable proxy ARP on egress interface
service NAT service parameters
unidirectional Enable per-session NAT
<cr>

nat (any,Inside) source static RFC1918 RFC1918 destination static Encrypt_McMurdo-Station Encrypt_McMurdo-Station ?

configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
no-proxy-arp Disable proxy ARP on egress interface
service NAT service parameters
unidirectional Enable per-session NAT
<cr>

nat (Inside,Internet) source static RFC1918 RFC1918 destination static Encrypt_McMurdo-Station Encrypt_McMurdo-Station ?

configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
no-proxy-arp Disable proxy ARP on egress interface
route-lookup Perform route lookup for this rule
service NAT service parameters
unidirectional Enable per-session NAT
<cr>

I am more convinced than ever that it’s a mistake to think of the ASA as a router. The device simply does not follow the packet forwarding logic of Cisco IOS. If you need a device to perform VPN termination while truly acting like an IOS router, then the answer is…an IOS router. And if you object to using an IOS box for VPN tunnel termination because you love the HA functionality of Cisco ASA firewall pairs, allow me to point out that Cisco does offer stateful failover for IPSEC on IOS. You’ve got options.