cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
260
Views
0
Helpful
1
Replies

Does PIX NATing generate a NEW packet?

KellyR1989
Level 1
Level 1

Some firewalls, after receiving a packet, generate a new packet and populate it with data from the original, rather than forwarding the same packet that was received. Does the PIX do this?

Thanks

- K

1 Reply 1

elparis
Cisco Employee
Cisco Employee

Several fields in the IP header, TCP or UDP headers, and even layer 7 data, from the original packet have to be changed in order to do NAT.

For example, the source IP address has to be changed as part of the NAT process (for changing an internal address like 192.168.x.x to a valid global IP address). If doing PAT instead of NAT then TCP or UDP source ports need to be changing. If the packet carries a payload that has IP addresses or ports for a specific layer 7 protocol (like SIP, for example), and the ASA/PIX is doing deep packet inspection of that protocol ("inspect sip", for example), then the layer 7 payload needs to be modified as well.

Once you change something then checksums (like IP, TCP and UDP checksums) need to be recalculated.

It's basically a new packet, but built based on the original packet. Fields that don't need to be changed as part of the NAT process are not touched. The IP ID is an example of a field that it is not touched. This helps when you need to identify a packet among hundreds in packet captures both on the inside (pre-NAT) and outside (post-NAT) interfaces.

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: