Cisco ASA Series Cli Configuration Manual page 768

NAT for VPN
Determining the Egress Interface
When the ASA receives traffic for a mapped address, the ASA unstranslates the destination address
according to the NAT rule, and then it sends the packet on to the real address. The ASA determines the
egress interface for the packet in the following ways:
•
•
Figure 1-16
lookup is equivalent to the NAT rule interface, but in some configurations, the two methods might differ.
Figure 1-16
Send packet out Inside interface.
NAT for VPN
•
•
•
•
Cisco ASA Series CLI Configuration Guide
1-22
Transparent mode—The ASA determines the egress interface for the real address by using the NAT
rule; you must specify the source and destination interfaces as part of the NAT rule.
Routed mode—The ASA determines the egress interface in one of the following ways:
–
You configure the interface in the NAT rule—The ASA uses the NAT rule to determine the
egress interface. However, you have the option to always use a route lookup instead. In certain
scenarios, a route lookup override is required; for example, see the
Access" section on page
–
You do not configure the interface in the NAT rule—The ASA uses a route lookup to determine
the egress interface.
shows the egress interface selection method in routed mode. In almost all cases, a route
Routed Mode Egress Interface Selection
Real: 10.1.1.78
Mapped: 209.165.201.08
Inside
No
NAT rule specifies route lookup?
NAT and Remote Access VPN, page 1-23
NAT and Site-to-Site VPN, page 1-24
NAT and VPN Management Access, page 1-26
Troubleshooting NAT and VPN, page 1-28
1-26.
Eng
Dest. 209.165.201.08
Outside
to
209.165.201.08
Untranslation
Where to send 10.1.1.78?
NAT rule specifies interface?
Yes
Look up 10.1.1.78 in routing table.
Yes
Chapter 1 Information About NAT
"NAT and VPN Management
Packet
10.1.1.78
No