Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
1
Replies

ASA static and NAT configuration.

bapatsubodh
Level 1
Level 1

‎09-05-2010 09:34 AM - edited ‎03-11-2019 11:35 AM

Hi,

Static and NAT - configuration for : ASA Version 7.2(4)33.

static (outside,inside) 10.100.0.0   10.100.0.0    netmask 255.255.0.0

Packets generated from inside zone, whose source IP - is- any  and have destination IP in the range of 10.100.0.0 /16, these will exit the
"outside"  interface without changing it's destination IP address or the source IP address. Packets will cross the firewall as it is.

This is same as : if pacets from outside zone with source IP in the range of 10.100.0.0 /16 and destination IP address of any will exit the inside interface without changing any source or destination IP address.

Corresponding permit access-lists are configured on outside and inside interfaces.

In next step following configuration is done.

global (inside) 1 interface
nat (outside) 1 access-list abcd_nat outside
access-list abcd_nat extended permit ip 10.100.0.0 255.255.0.0  host 10.1.1.1

This is PAT particularly for one IP from inside zone.

These two configurations kind of conflict with each other.  First lets packet cross without any change and second changes the IP only for particular host. Which one will work or it may casue some error ?

"Duplicate TCP SYN from outside: ****** inside: ********* with different initial sequence number". Is this error generated from such configuration?

Explanation of such error is some thing different on cisco.com but it may be realted.

Please share the experience thanks in advance.

Thanks

SubodhBapat

Labels:
0 Helpful
1 Reply 1

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-05-2010 09:46 AM

Hello,

Static NAT takes preference over dynamic NAT. So, the static statement will

be in effect and dynamic NAT statement will be ignored. The error message

you are getting is not related to the NAT configuration. It is related to

packets getting retransmitted by the external client. Would it be possible

that the external client is using a proxy server to access the inside host?

Sometimes, the proxy devices generate multiple SYN with different sequence

numbers.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card