Does PIX NATing generate a NEW packet?

Unanswered Question
Nov 14th, 2007
User Badges:

Some firewalls, after receiving a packet, generate a new packet and populate it with data from the original, rather than forwarding the same packet that was received. Does the PIX do this?


- K

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
elparis Wed, 11/14/2007 - 16:20
User Badges:
  • Cisco Employee,

Several fields in the IP header, TCP or UDP headers, and even layer 7 data, from the original packet have to be changed in order to do NAT.

For example, the source IP address has to be changed as part of the NAT process (for changing an internal address like 192.168.x.x to a valid global IP address). If doing PAT instead of NAT then TCP or UDP source ports need to be changing. If the packet carries a payload that has IP addresses or ports for a specific layer 7 protocol (like SIP, for example), and the ASA/PIX is doing deep packet inspection of that protocol ("inspect sip", for example), then the layer 7 payload needs to be modified as well.

Once you change something then checksums (like IP, TCP and UDP checksums) need to be recalculated.

It's basically a new packet, but built based on the original packet. Fields that don't need to be changed as part of the NAT process are not touched. The IP ID is an example of a field that it is not touched. This helps when you need to identify a packet among hundreds in packet captures both on the inside (pre-NAT) and outside (post-NAT) interfaces.

Hope this helps.


This Discussion