Does PIX alter TCP sequence numbers?

[deeze6]

Hello all,

I am trying to sniff a session between a server on an "inside" segement and a server on a "DMZ" segment. The server on the inside is being NAT translated to the same address on the DMZ like so:

static (inside,DMZ) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 0 0

The problem I am having is comparing the sniffer capture on the inside server to the one on the DMZ server because I think the TCP sequence numbers are being altered. The TCP port numbers appear to be maintained.

Does the PIX alter the TCP sequence numbers? If so does it do so in a predicatble manner?

Also can someone point me to documentation on this behavior?

Thanks,
Deeze6

 

[tbissett]

The PIX does in fact alter the sequence numbers. This is by design and the sequencing is totally random. It's actually the heart of the PIX security measures, and exists to primarily prevent TCP hijacking.

It can be disabled by adding the keyword "norandomseq" to the end of your NAT statement, but trust me... Unless you have another inline firewall that does the randomizing, you REALLY don't want to disable that

 

[deeze6]

Thanks much for the reply!