Hi,

I've got an issue with a PIX 515E firewall on a customers network.

The customer NATs their 3 x internal network ranges behind three IP addresses using PAT on a Nortel layer 3 switch.

These three addresses are permitted through the PIX via access-lists and the services they need to access are created as statics on the PIX.

If i plug my laptop directly into the PIX with a cross-over cable, and give my laptop any of the three addresses, i can access all services through the PIX without any issue.

If i plug my laptop into the customers switch in front of their NAT device (so no NAT takes place) i can access all services through the PIX without any issue.

If i plug my laptop behind the NAT device on their internal network range i can't access any services through the PIX, yet i can see my source IP in the NAT table on the Nortel switch being NATed to one of the three allocated addresses.

We can see that the traffic is being returned to the NAT device and routing has been configured correctly on the PIX

When i removed the PIX and put its LAN address on to the WAN router (2600), they can access all services without any issues.

Its almost as if the PIX is stripping out the source port information in the packet headers, thus preventing the Nortel switch from sending it back to its original source address based on its NAT table.

I would be grateful if anyone had any suggestions about this please?

Thanks

Paddy