firewall command to allow non rfc1918 inside

carl_townshend · ‎06-13-2008

Hi all, we had an issue where we had 2 100.1.x.x and 100.4.x.x addresses on our lan that were trying to talk through the firewall, but it was not working, the engineer had to issue a command

>norandomseq nailed for them ip's, what exactly does this do?

jamesl0112 · ‎06-13-2008

They are optional parameters for a NAT rule.

noramdomseq - Disables TCP ISN randomization protection. Normally a firewall would randomise the ISN of the TCP SYN passing in both the inbound and outbound directions.

nailed - Allows TCP sessions for asymmetrically routed traffic. This option allows inbound traffic to traverse the security appliance without a corresponding outbound connection to establish the state.

carl_townshend · ‎06-13-2008

why would we use this, would we not just create a rule allowing the source in from the outside ?

jamesl0112 · ‎06-13-2008

Well - you need both, a NAT rule to specify which addresses get translated between interfaces, and an access-list rule to allow traffic through.

There will be several reasons why you might need to use these additional options, but without understanding the network and so on it would be hard to say.

If you fancy reading about NAT rule syntax one example Cisco page is here:

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s8_711.html#wp1112330