Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

firewall command to allow non rfc1918 inside

Hi all, we had an issue where we had 2 100.1.x.x and 100.4.x.x addresses on our lan that were trying to talk through the firewall, but it was not working, the engineer had to issue a command

>norandomseq nailed for them ip's, what exactly does this do?

3 REPLIES
New Member

Re: firewall command to allow non rfc1918 inside

They are optional parameters for a NAT rule.

noramdomseq - Disables TCP ISN randomization protection. Normally a firewall would randomise the ISN of the TCP SYN passing in both the inbound and outbound directions.

nailed - Allows TCP sessions for asymmetrically routed traffic. This option allows inbound traffic to traverse the security appliance without a corresponding outbound connection to establish the state.

New Member

Re: firewall command to allow non rfc1918 inside

why would we use this, would we not just create a rule allowing the source in from the outside ?

New Member

Re: firewall command to allow non rfc1918 inside

Well - you need both, a NAT rule to specify which addresses get translated between interfaces, and an access-list rule to allow traffic through.

There will be several reasons why you might need to use these additional options, but without understanding the network and so on it would be hard to say.

If you fancy reading about NAT rule syntax one example Cisco page is here:

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s8_711.html#wp1112330

227
Views
0
Helpful
3
Replies