Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
213
Views
0
Helpful
1
Replies

A NAT'ed syn ack Reveals Internal IP Address thru PIX

nhansonwhitlock
Level 1
Level 1

‎12-12-2005 03:57 PM - edited ‎02-21-2020 12:35 AM

We are trying to configure an internal firewall to handle SMTP requests from a Windows 2003 Web Application server through the PIX outside interface(using a NAT) to a Red Hat Linux ES Mail server. Using sniffer traces, we have found that the Windows web app receives a SYN ACK from the mail server that shows the real address of the mail server instead of the NAT'ed address and the web app discards the mail server responses because it thinks the source is wrong. We tested the same machines through the PIX with a different protocol - SSH instead and see the same behavior. Additionally, we tested SSH from Windows to Windows and it works as it should. It's possible that it's a Linux issue but our Linux guys tell us it's the PIX. Attached is a diagram to illustrate the environment. Any ideas?

Preview file
1105 KB
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎12-16-2005 12:23 PM

For PIX firewall (with VoIP application-layer gateway [ALG] or fixup protocol), the following version/feature combinations are supported:

Version 5.2: Supports H.323 version 2, Registration and Status (RAS), and NAT (no PAT).

Version 6.0 and 6.1: Adds SIP with NAT (no PAT), Skinny Client Control Protocol (SCCP) with NAT (no PAT), and no Media Gateway Control Protocol (MGCP) support.

Version 6.2: PAT support for H.323 version 2 and SIP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card