I have no nat-control configured on PIX, basically i want all DMZ20 hosts to communicate with any inside hosts seamlessly with their real IP.
However when the inside hosts setup any session to DMZ hosts, i want the IP to be hidden, so I use PAT for this purpose.
With this configs, what i observe is that the sessions from inside to DMZ work as intended. However, i have trouble with sessions from DMZ to inside's real IPs.
What is happening here is, the packet travels from DMZ to inside host successfully, but the return traffic is being PATed, which i do not expect it to happen, because the original session was initiated from DMZ. I would rather expect PIX to match the existing session initated from DMZ, instead of doing PAT for the return traffic.
I just wanted to know, if this is a known limitation or am i seeing a bug in PIX..
Hi .. I don't think this is a bug from where I can see the Pix is behaving as it supposed to.
1.- When packets are initiated from inside to DMZ, the DMZ hosts will see the PATed IP as the source and the return traffic will not match your no-nat instructions because the PATed IP is obviusly no part of the ACL for your no-nat.
2.- When traffic is initiated from the DMZ, the traffic will match your no-nat instruction and it will reach the inside hosts however the traffic comming back will fall on the same category as in point 1. even though the session was not initiated from inside, however the source and destination IP will match your PAT condition and hence the return traffic will be PATed.
Conclusion: I don't think you can accomplish what you are trying to do .. at least no that I am aware of.
Hi Fernando, Appreciate your response, however i am still not convinced why PIX can't match the session entry created during the DMZ to inside communication.
All that it has to do is to lookup the existing session info, before looking up the translation table.
This gains more significance now, because of the new no-natcontrol feature. Without, this feature, i can understand that this is not possible, because there has to be some xlation in place for any low sec to high sec communication.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :