Does PIX alter TCP sequence numbers?

Unanswered Question
Aug 14th, 2003
User Badges:

Hello all,

I am trying to sniff a session between a server on an "inside" segement and a server on a "DMZ" segment. The server on the inside is being NAT translated to the same address on the DMZ like so:

static (inside,DMZ) netmask 0 0

The problem I am having is comparing the sniffer capture on the inside server to the one on the DMZ server because I think the TCP sequence numbers are being altered. The TCP port numbers appear to be maintained.

Does the PIX alter the TCP sequence numbers? If so does it do so in a predicatble manner?

Also can someone point me to documentation on this behavior?

Thank You

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
l.mourits Thu, 08/14/2003 - 05:35
User Badges:
  • Silver, 250 points or more


You are right, the PIX does alter TCP sequence numbers. This is done in a random, not predictable manner by ASA. Some good documentation can be found at the following link:

Here's a part of this documentation:

Adaptive Security Algorithm (ASA):

- Implements stateful connection control through the firewall.

- Allows one way (inside to outside) connections without an explicit configuration for each internal system and application.

- Always in operation monitoring return packets to ensure they are valid. Actively randomizes TCP sequence numbers to minimize the risk of TCP sequence number attack.

Hope this helps,


ggombas Thu, 08/14/2003 - 09:13
User Badges:

Thanks for the reply Leo. What I don't understand is if the PIX is always changing the sequence numbers how the end stations are keeping track of them. Is it because the PIX only randomizes the sequence numbers of new sessions and keeps the same sequence throughout the session?

bdube Thu, 08/14/2003 - 14:02
User Badges:

You're right. The inside client doesn't see any difference in TCP sequence number, the PIX presents another sequence number to the DMZ server or outside. The PIX does a sequence number translation. There is a randomizing at the beginning of new session, and this one is kept for the rest of the session.


r-lemaster Fri, 08/15/2003 - 07:12
User Badges:

You can turn off the default random sequencing of TCP packet numbers for debugging by using the norandomsequence keyword..

nat [(if_name)] nat_id local_ip [netmask [max_connections [embryonic_limit]]] [norandomsequence]



This Discussion