firewall command to allow non rfc1918 inside

Unanswered Question
Jun 13th, 2008

Hi all, we had an issue where we had 2 100.1.x.x and 100.4.x.x addresses on our lan that were trying to talk through the firewall, but it was not working, the engineer had to issue a command

>norandomseq nailed for them ip's, what exactly does this do?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jamesl0112 Fri, 06/13/2008 - 02:03

They are optional parameters for a NAT rule.


noramdomseq - Disables TCP ISN randomization protection. Normally a firewall would randomise the ISN of the TCP SYN passing in both the inbound and outbound directions.


nailed - Allows TCP sessions for asymmetrically routed traffic. This option allows inbound traffic to traverse the security appliance without a corresponding outbound connection to establish the state.

carl_townshend Fri, 06/13/2008 - 02:37

why would we use this, would we not just create a rule allowing the source in from the outside ?

jamesl0112 Fri, 06/13/2008 - 07:00

Well - you need both, a NAT rule to specify which addresses get translated between interfaces, and an access-list rule to allow traffic through.


There will be several reasons why you might need to use these additional options, but without understanding the network and so on it would be hard to say.


If you fancy reading about NAT rule syntax one example Cisco page is here:


http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s8_711.html#wp1112330

Actions

This Discussion