I've searched the forums and have seen the solution is to configure stateless on the ip policy, however when I tried that, the problem became worse than better. I'm assuming I just don't know exactly how to configure the stateless.
Here's my issue:
I see these in the logs, both ways:
2019.03.03 15:09:34 FIREWALL id=firewall time="2019-03-03 15:09:34" fw=Mainframe_3430(A) pri=1 proto=telnet src=10.1.1.18 dst=10.1.1.6 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x18 Src 55453 Dst 23 from DataNtwk policy-class on interface eth 0/2" agent=AdFirewall
2019.03.03 17:22:10 FIREWALL id=firewall time="2019-03-03 17:22:10" fw=Mainframe_3430(A) pri=1 proto=50371/tcp src=172.28.0.7 dst=10.1.1.83 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x18 Src 3001 Dst 50371 from MainframeNtwk policy-class on interface eth 0/1" agent=AdFirewall
I've tried the following config changes, to no avail:
1st Try:
ip policy-class DataNtwk
allow list Admin3430 self
allow list any-any policy MainframeNtwk stateless
nat destination list ToMainframe address 172.28.0.7
!
ip policy-class MainframeNtwk
allow list Admin3430 self
allow list any-any policy DataNtwk stateless
nat source list FromMainframe address 10.1.1.6 overload
!
2nd Try:
ip policy-class DataNtwk
allow list Admin3430 self
nat destination list ToMainframe address 172.28.0.7
!
ip policy-class MainframeNtwk
allow list Admin3430 self
nat source list FromMainframe address 10.1.1.6 overload
!
Both made the situation worse than better.
I've attached my config to the post.
Any help is appreciated.
Thank you!
Patrick
