What are the implications of using a FW between SH's using NAT and or PAT


With full transparency and the correct OOB spice NAT will work through a FW on the inner channel.  However if the FW is using PAT and the tuple changes in between the session setup handshake and the inner channel handshake the inner channel establishment will fail.

This is because on correct addressing the original tuple from client to server is preserved in the session splice and taken by the SFE from it so a particular inner channel can be related to a session setup). However in Full Transparency the SFE takes the tuple from the inner channel TCP packets themselves. Therefore (with FT)  if the tuple changes between the session setup three way handshake and the subsequent three way handshake for the corresponding inner channel (remember no connection pooling with FT)  and if the FW is doing PAT it almost certainly will the SFE will not be able to relate the inner channel to the to the corresponding session setup and the optimization will fail with just a clean FIN/FIN-ACK with no indication of why


Given the above don't use a FW with PAT enabled between SH

