ASA static and NAT configuration.

Unanswered Question
Sep 5th, 2010

Hi,

Static and NAT - configuration for : ASA Version 7.2(4)33.

static (outside,inside) 10.100.0.0   10.100.0.0    netmask 255.255.0.0

Packets generated from inside zone, whose source IP - is- any  and have destination IP in the range of 10.100.0.0 /16, these will exit the
"outside"  interface without changing it's destination IP address or the source IP address. Packets will cross the firewall as it is.

This is same as : if pacets from outside zone with source IP in the range of 10.100.0.0 /16 and destination IP address of any will exit the inside interface without changing any source or destination IP address.

Corresponding permit access-lists are configured on outside and inside interfaces.

In next step following configuration is done.

global (inside) 1 interface
nat (outside) 1 access-list abcd_nat outside
access-list abcd_nat extended permit ip 10.100.0.0 255.255.0.0  host 10.1.1.1

This is PAT particularly for one IP from inside zone.

These two configurations kind of conflict with each other.  First lets packet cross without any change and second changes the IP only for particular host. Which one will work or it may casue some error ?

"Duplicate TCP SYN from outside: ****** inside: ********* with different initial sequence number". Is this error generated from such configuration?

Explanation of such error is some thing different on cisco.com but it may be realted.

Please share the experience thanks in advance.

Thanks

SubodhBapat

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Sun, 09/05/2010 - 09:46

Hello,

Static NAT takes preference over dynamic NAT. So, the static statement will

be in effect and dynamic NAT statement will be ignored. The error message

you are getting is not related to the NAT configuration. It is related to

packets getting retransmitted by the external client. Would it be possible

that the external client is using a proxy server to access the inside host?

Sometimes, the proxy devices generate multiple SYN with different sequence

numbers.

Regards,

NT

Actions

This Discussion