Cisco ASA 5505 Configuration Manual page 356

How Routing Behaves Within the Adaptive Security Appliance
algorithms send small updates everywhere, while distance vector algorithms send larger updates only to
neighboring routers. Distance vector algorithms know only about their neighbors. Typically, this type of
algorithm is used in conjunction with OSPF routing protocols.
How Routing Behaves Within the Adaptive Security Appliance
The adaptive security appliance uses both routing table and XLATE tables for routing decisions. To
handle destination IP translated traffic, that is, untranslated traffic, the adaptive security appliance
searches for existing XLATE, or static translation to select the egress interface.
Egress Interface Selection Process
The selection process is as follows:
1.
2.
3.
Next Hop Selection Process
After selecting egress interface using any method described above, an additional route lookup is
performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are
no routes in routing table that explicitly belong to selected interface, the packet is dropped with the level
6 error message 110001 (no route to host), even if there is another route for a given destination network
that belongs to different egress interface. If the route that belongs to selected egress interface is found,
the packet is forwarded to corresponding next hop.
Load sharing on the adaptive security appliance is possible only for multiple next-hops available using
single egress interface. Load sharing cannot share multiple egress interfaces.
If dynamic routing is in use on adaptive security appliance and route table changes after XLATE
creation, for example route flap, then destination translated traffic is still forwarded using old XLATE,
not via route table, until XLATE times out. It may be either forwarded to wrong interface or dropped
with message 110001 (no route to host), if old route was removed from the old interface and attached to
another one by routing process.
The same problem may happen when there is no route flaps on the adaptive security appliance itself, but
some routing process is flapping around it, sending source translated packets that belong to the same
flow through the adaptive security appliance using different interfaces. Destination translated return
packets may be forwarded back using the wrong egress interface.
Cisco ASA 5500 Series Configuration Guide using ASDM
18-4
If destination IP translating XLATE already exists, the egress interface for the packet is determined
from the XLATE table, but not from the routing table.
If destination IP translating XLATE does not exist, but a matching static translation exists, then the
egress interface is determined from the static route and an XLATE is created, and the routing table
is not used.
If destination IP translating XLATE does not exist and no matching static translation exists, the
packet is not destination IP translated. The adaptive security appliance processes this packet by
looking up the route to select egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and
then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For
static NAT, destination translated incoming packets are always forwarded using existing XLATE or
static translation rules.
Chapter 18 Information About Routing
OL-20339-01