Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Does PIX NATing generate a NEW packet?

Some firewalls, after receiving a packet, generate a new packet and populate it with data from the original, rather than forwarding the same packet that was received. Does the PIX do this?


- K

  • Other Security Subjects
Cisco Employee

Re: Does PIX NATing generate a NEW packet?

Several fields in the IP header, TCP or UDP headers, and even layer 7 data, from the original packet have to be changed in order to do NAT.

For example, the source IP address has to be changed as part of the NAT process (for changing an internal address like 192.168.x.x to a valid global IP address). If doing PAT instead of NAT then TCP or UDP source ports need to be changing. If the packet carries a payload that has IP addresses or ports for a specific layer 7 protocol (like SIP, for example), and the ASA/PIX is doing deep packet inspection of that protocol ("inspect sip", for example), then the layer 7 payload needs to be modified as well.

Once you change something then checksums (like IP, TCP and UDP checksums) need to be recalculated.

It's basically a new packet, but built based on the original packet. Fields that don't need to be changed as part of the NAT process are not touched. The IP ID is an example of a field that it is not touched. This helps when you need to identify a packet among hundreds in packet captures both on the inside (pre-NAT) and outside (post-NAT) interfaces.

Hope this helps.

This widget could not be displayed.