Tony Finch wrote on 6/11/2019 4:23 AM:
Mark Andrews <ma...@isc.org> wrote:
As for the NAT box that chooses those ports. If you can’t keep the
original port it should choose a ephemeral port at random. Choosing a
well known port is problematic for lots of reasons.
If I understand the documentation that was linked previously
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/nat-basics.html#ID-2090-00000438
I think the option that does the right thing is "flat" without
"include-reserve".
Yes, that was my understanding as well. Unfortunately the flat option is
not available in most NAT modes and seems to present itself only when
also using a PAT pool in a manual (twice) NAT configuration.
Interestingly enough, older versions of the ASA (7.x) did not require
this extra configuration as they did not attempt to use source ports
below 1024 for PAT. I'm sure there's a reason Cisco added the newer
logic in ASA 8.x which sometimes does use ports < 1024, I'm just not
sure what that reason could have been.
--Blake
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
