Now that the interfaces have been named and security values have been assigned, and network connectivity has been established by configuring and testing the IP settings, NAT and PAT can be configured to allow traffic to pass through.

Permit Traffic Through

When an outbound packet arrives at a higher security level interface (inside), the PIX checks the validity of the packet based on the adaptive security algorithm, and then checks whether or not a previous packet has come from that host. If no packet has originated from that host, then the packet is for a new connection, and PIX will create a translation in its table for the connection.

The information that PIX stores in the translation table includes the inside IP address and a globally unique IP address assigned by the Network Address Translation or Network Address Port Translation. The PIX then changes the packet s source IP address to the global address, modifies the checksum and other fields as required, and then forwards the packet to the lower security interface (outside, or DMZ).

When an inbound packet arrives at a lower security level interface (outside, or DMZ), it must first pass the PIX Adaptive Security criteria. If the packet passes the security tests (static and Access Control Lists), the PIX removes the destination IP address, and the internal IP address is inserted in its place. The packet then is forwarded to the higher security level interface (inside). Figure 9.4 illustrates the NAT process on the...