Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA static and NAT configuration.


Static and NAT - configuration for : ASA Version 7.2(4)33.

static (outside,inside)    netmask

Packets generated from inside zone, whose source IP - is- any  and have destination IP in the range of /16, these will exit the
"outside"  interface without changing it's destination IP address or the source IP address. Packets will cross the firewall as it is.

This is same as : if pacets from outside zone with source IP in the range of /16 and destination IP address of any will exit the inside interface without changing any source or destination IP address.

Corresponding permit access-lists are configured on outside and inside interfaces.

In next step following configuration is done.

global (inside) 1 interface
nat (outside) 1 access-list abcd_nat outside
access-list abcd_nat extended permit ip  host

This is PAT particularly for one IP from inside zone.

These two configurations kind of conflict with each other.  First lets packet cross without any change and second changes the IP only for particular host. Which one will work or it may casue some error ?

"Duplicate TCP SYN from outside: ****** inside: ********* with different initial sequence number". Is this error generated from such configuration?

Explanation of such error is some thing different on but it may be realted.

Please share the experience thanks in advance.



Cisco Employee

Re: ASA static and NAT configuration.


Static NAT takes preference over dynamic NAT. So, the static statement will

be in effect and dynamic NAT statement will be ignored. The error message

you are getting is not related to the NAT configuration. It is related to

packets getting retransmitted by the external client. Would it be possible

that the external client is using a proxy server to access the inside host?

Sometimes, the proxy devices generate multiple SYN with different sequence