Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT and no nat-control..

I was testing this setup..

DMZ(Sec20) --- PIX --- Inside(Sec100)

I do PAT for all traffic from inside to DMZ.

I have no nat-control configured on PIX, basically i want all DMZ20 hosts to communicate with any inside hosts seamlessly with their real IP.

However when the inside hosts setup any session to DMZ hosts, i want the IP to be hidden, so I use PAT for this purpose.

With this configs, what i observe is that the sessions from inside to DMZ work as intended. However, i have trouble with sessions from DMZ to inside's real IPs.

What is happening here is, the packet travels from DMZ to inside host successfully, but the return traffic is being PATed, which i do not expect it to happen, because the original session was initiated from DMZ. I would rather expect PIX to match the existing session initated from DMZ, instead of doing PAT for the return traffic.

I just wanted to know, if this is a known limitation or am i seeing a bug in PIX..

fyi.. I am running 3.1 code on FWSM

Please advise.


Re: PAT and no nat-control..

Hi .. I don't think this is a bug from where I can see the Pix is behaving as it supposed to.

1.- When packets are initiated from inside to DMZ, the DMZ hosts will see the PATed IP as the source and the return traffic will not match your no-nat instructions because the PATed IP is obviusly no part of the ACL for your no-nat.

2.- When traffic is initiated from the DMZ, the traffic will match your no-nat instruction and it will reach the inside hosts however the traffic comming back will fall on the same category as in point 1. even though the session was not initiated from inside, however the source and destination IP will match your PAT condition and hence the return traffic will be PATed.

Conclusion: I don't think you can accomplish what you are trying to do .. at least no that I am aware of.

New Member

Re: PAT and no nat-control..

Hi Fernando, Appreciate your response, however i am still not convinced why PIX can't match the session entry created during the DMZ to inside communication.

All that it has to do is to lookup the existing session info, before looking up the translation table.

This gains more significance now, because of the new no-natcontrol feature. Without, this feature, i can understand that this is not possible, because there has to be some xlation in place for any low sec to high sec communication.

May be i will TAC about it and keep you posted..

Thanks again

Re: PAT and no nat-control..

cool let me know how you go with TAC

CreatePlease login to create content