The following topics describe how routing behaves within the FTD device. Routing is the act of moving information across a network from a source to a destination. Along the way, at least one intermediate node is typically encountered. Routing involves two basic activities: determining optimal routing paths and transporting packets through a network.
How NAT Affects Route Selection
FTD uses both routing table and Network Address Translations (NAT) XLATE (translation) tables for routing decisions. To handle destination IP translated traffic, that is, untranslated traffic, the system searches for an existing XLATE or a static translation to select the egress interface.
The selection process follows these steps:
If a destination IP translating XLATE already exists, the egress interface for the packet is determined from the XLATE table, but not from the routing table.
If a destination IP translating XLATE does not exist, but a matching static NAT translation exists, then the egress interface is determined from the static NAT rule and an XLATE is created, and the routing table is not used.
If a destination IP translating XLATE does not exist and no matching static translation exists, the packet is not destination IP translated. The system processes this packet by looking up the route to select the egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then the XLATE is created. Incoming return packets are forwarded using the existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using an existing XLATE or static translation rules.
After selecting the egress interface, an additional route lookup is performed to find out suitable next hop that belongs to the selected egress interface. If there are no routes in the routing table that explicitly belong to a selected interface, the packet is dropped with a level 6 diagnostic syslog message 110001 generated (no route to host), even if there is another route for a given destination network that belongs to a different egress interface. If the route that belongs to a selected egress interface is found, the packet is forwarded to the corresponding next hop.
The Routing Table and Route Selection
When NAT XLATEs and rules do not determine the egress interface, the system uses the routing table to determine the path for a packet.
Routes in the routing table include a metric called “administrative distance” that provides a relative priority to a given route. If a packet matches more than one route entry, the one with the lowest distance is used. Directly connected networks (those defined on an interface) have the distance 0, so they are always preferred. Static routes have a default distance of 1, but you can create them with any distance between 1-254.
Routes that identify a specific destination take precedence over the default route (the route whose destination is 0.0.0.0/0).
How Forwarding Decisions Are Made
Forwarding decisions are made as follows:
If the destination does not match an entry in the routing table, the packet is forwarded through the interface specified for the default route. If a default route has not been configured, the packet is discarded.
If the destination matches a single entry in the routing table, the packet is forwarded through the interface associated with that route.
If the destination matches more than one entry in the routing table, then the packet is forwarded out of the interface associated with the route that has the longer network prefix length.
For example, a packet destined for 192.168.32.1 arrives on an interface with the following routes in the routing table:
192.168.32.0/24 gateway 10.1.1.2
192.168.32.0/19 gateway 10.1.1.3
In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet.
Existing connections continue to use their established interfaces even if a new similar connection would result in different behavior due to a change in routes.