NAT and PAT through FW in between SH'

Categories: SteelHead CX (Appliance), SteelHead (Appliance), SteelHead CX (Virtual Steelhead), SteelHead DX (Appliance), SteelHead EX (Appliance)
Solution Number: S27893

Issue

What are the implications of using a FW between SH's using NAT and or PAT

Solution

With full transparency and the correct OOB spice NAT will work through a FW on the inner channel.  However if the FW is using PAT and the tuple changes in between the session setup handshake and the inner channel handshake the inner channel establishment will fail.

This is because on correct addressing the original tuple from client to server is preserved in the session splice and taken by the SFE from it so a particular inner channel can be related to a session setup). However in Full Transparency the SFE takes the tuple from the inner channel TCP packets themselves. Therefore (with FT)  if the tuple changes between the session setup three way handshake and the subsequent three way handshake for the corresponding inner channel (remember no connection pooling with FT)  and if the FW is doing PAT it almost certainly will the SFE will not be able to relate the inner channel to the to the corresponding session setup and the optimization will fail with just a clean FIN/FIN-ACK with no indication of why

Environment

Given the above don't use a FW with PAT enabled between SH

NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Last Modified: 2016-02-12
Can't find an answer? Create a case