How can you prevent NAT rules from sending traffic to incorrect interfaces?

– by 5

How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Assign the output interface in the NAT statement
B. Add the no-proxy-arp command to the nat line
C. Configure twice NAT instead of object NAT
D. Use packet-tracer rules to reroute misrouted NAT entries

cisco-exams

5 thoughts on “How can you prevent NAT rules from sending traffic to incorrect interfaces?

  2. A is the answer

    Determining the Egress Interface
    When the ASA receives traffic for a mapped address, the ASA unstranslates the destination address according to the NAT rule, and then it sends the packet on to the real address. The ASA determines the egress interface for the packet in the following ways:

    Transparent mode—The ASA determines the egress interface for the real address by using the NAT rule; you must specify the source and destination interfaces as part of the NAT rule.
    Routed mode—The ASA determines the egress interface in one of the following ways:
    – You configure the interface in the NAT rule—The ASA uses the NAT rule to determine the egress interface. However, you have the option to always use a route lookup instead. In certain scenarios, a route lookup override is required; for example, see the “NAT and VPN Management Access” section.

    – You do not configure the interface in the NAT rule—The ASA uses a route lookup to determine the egress interface.

    Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_overview.html#31003

    Reply

  4. I mind that answer B is correct :
    —–
    he ASA Proxy ARPs for the global IP address range in a NAT statement on the global interface. This Proxy ARP functionality can be disabled on a per-NAT rule basis if you add the no-proxy-arp keyword to the NAT statement.

    This problem is also seen when the global address subnet is inadvertently created to be much larger than it was intended to be.

    Solution:

    Add the no-proxy-arp keyword to the NAT line if possible.

    Example:

    ASA(config)# object network inside-server
    ASA(config-network-object)# nat (inside,outside) static 172.18.22.1 no-proxy-arp
    ASA(config-network-object)# end
    ASA#
    ASA# show run nat
    object network inside-server
    nat (inside,outside) static 172.18.22.1 no-proxy-arp
    ASA#

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.