The sysopt route dnat command specifies that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop.
The established command works as shown in the following format:-
established A B C permitto D E permitfrom D F
If there exists a connection between two hosts using protocol A from src port B destined for port C, permit return connections through the PIX Firewall via protocol D (D can be different from A), if the source port(s) correspond to F and the destination port(s) correspond to E.
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059
In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535
In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 18.104.22.168. The example allows packets from the foreign host 22.214.171.124 on port 4242 back to local host 10.1.1.1 on port 5454.
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242
The next example allows packets from foreign host 126.96.36.199 on any port back to local host 10.1.1.1 on port 5454:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...