Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Does NAT only apply for new connections?

Really stumped on this one - any comments gratefully recieved!

I have a pix in front of a router. The PIX is doing a static NAT for a web server and the pix forwards the packet to a router. The router is doing PAT on it's firewall facing interface, it recieves the packet, it see's that the PAT doesn't apply from it's ACL and routes the packet to the web server internally - NOW this is the bit I am confused about - the web server then replies to the packet BUT now the PAT does apply from it's ACL and I was expecting the source address on the reply packet to be translated and the connection to lose state through the firewall!

But the return packet is not natted. The pix receives the packet with the original address and does the static nat on it so all addresses are routeable on the internet and it all works!

So - is NAT only done on a new connection and is nat ignored if it's a return packet?!

the syntax is

ip nat inside source list 131 interface Ethernet1/0 overload

Thanks in advance. Nik


Re: Does NAT only apply for new connections?

Your packet flow scenario is really hard to follow.

Why don't you post your router config so that we can see where is "inside", "outside", and the controlling ACL? Also, include the Pix's static or nat statement that affects the web server in question.

The NAT/PAT works in both directions as long as the ACL applies. There is no "stateful" inspection for NAT/PAT to determine when the process should apply.