Packets generated from inside zone, whose source IP - is- any and have destination IP in the range of 10.100.0.0 /16, these will exit the "outside" interface without changing it's destination IP address or the source IP address. Packets will cross the firewall as it is.
This is same as : if pacets from outside zone with source IP in the range of 10.100.0.0 /16 and destination IP address of any will exit the inside interface without changing any source or destination IP address.
Corresponding permit access-lists are configured on outside and inside interfaces.
In next step following configuration is done.
global (inside) 1 interface nat (outside) 1 access-list abcd_nat outside access-list abcd_nat extended permit ip 10.100.0.0 255.255.0.0 host 10.1.1.1
This is PAT particularly for one IP from inside zone.
These two configurations kind of conflict with each other. First lets packet cross without any change and second changes the IP only for particular host. Which one will work or it may casue some error ?
"Duplicate TCP SYN from outside: ****** inside: ********* with different initial sequence number". Is this error generated from such configuration?
Explanation of such error is some thing different on cisco.com but it may be realted.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...