Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

A NAT'ed syn ack Reveals Internal IP Address thru PIX

We are trying to configure an internal firewall to handle SMTP requests from a Windows 2003 Web Application server through the PIX outside interface(using a NAT) to a Red Hat Linux ES Mail server. Using sniffer traces, we have found that the Windows web app receives a SYN ACK from the mail server that shows the real address of the mail server instead of the NAT'ed address and the web app discards the mail server responses because it thinks the source is wrong. We tested the same machines through the PIX with a different protocol - SSH instead and see the same behavior. Additionally, we tested SSH from Windows to Windows and it works as it should. It's possible that it's a Linux issue but our Linux guys tell us it's the PIX. Attached is a diagram to illustrate the environment. Any ideas?


Re: A NAT'ed syn ack Reveals Internal IP Address thru PIX

For PIX firewall (with VoIP application-layer gateway [ALG] or fixup protocol), the following version/feature combinations are supported:

Version 5.2: Supports H.323 version 2, Registration and Status (RAS), and NAT (no PAT).

Version 6.0 and 6.1: Adds SIP with NAT (no PAT), Skinny Client Control Protocol (SCCP) with NAT (no PAT), and no Media Gateway Control Protocol (MGCP) support.

Version 6.2: PAT support for H.323 version 2 and SIP.