Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
3
Replies

PAT and no nat-control..

vramanaiah
Level 1
Level 1

‎04-16-2006 05:05 AM - edited ‎03-09-2019 02:37 PM

I was testing this setup..

DMZ(Sec20) --- PIX --- Inside(Sec100)

I do PAT for all traffic from inside to DMZ.

I have no nat-control configured on PIX, basically i want all DMZ20 hosts to communicate with any inside hosts seamlessly with their real IP.

However when the inside hosts setup any session to DMZ hosts, i want the IP to be hidden, so I use PAT for this purpose.

With this configs, what i observe is that the sessions from inside to DMZ work as intended. However, i have trouble with sessions from DMZ to inside's real IPs.

What is happening here is, the packet travels from DMZ to inside host successfully, but the return traffic is being PATed, which i do not expect it to happen, because the original session was initiated from DMZ. I would rather expect PIX to match the existing session initated from DMZ, instead of doing PAT for the return traffic.

I just wanted to know, if this is a known limitation or am i seeing a bug in PIX..

fyi.. I am running 3.1 code on FWSM

Please advise.

Labels:
0 Helpful
3 Replies 3

Fernando_Meza
Level 7
Level 7

‎04-16-2006 10:33 PM

Hi .. I don't think this is a bug from where I can see the Pix is behaving as it supposed to.

1.- When packets are initiated from inside to DMZ, the DMZ hosts will see the PATed IP as the source and the return traffic will not match your no-nat instructions because the PATed IP is obviusly no part of the ACL for your no-nat.

2.- When traffic is initiated from the DMZ, the traffic will match your no-nat instruction and it will reach the inside hosts however the traffic comming back will fall on the same category as in point 1. even though the session was not initiated from inside, however the source and destination IP will match your PAT condition and hence the return traffic will be PATed.

Conclusion: I don't think you can accomplish what you are trying to do .. at least no that I am aware of.

0 Helpful

vramanaiah
Level 1
Level 1
In response to Fernando_Meza

‎04-16-2006 11:53 PM

Hi Fernando, Appreciate your response, however i am still not convinced why PIX can't match the session entry created during the DMZ to inside communication.

All that it has to do is to lookup the existing session info, before looking up the translation table.

This gains more significance now, because of the new no-natcontrol feature. Without, this feature, i can understand that this is not possible, because there has to be some xlation in place for any low sec to high sec communication.

May be i will TAC about it and keep you posted..

Thanks again

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to vramanaiah

‎04-17-2006 12:39 AM

cool let me know how you go with TAC

0 Helpful
Customers Also Viewed These Support Documents