[jrdld]

Experts please forgive me if this is a stupid question.

I had always understood (since v4.0) that if I had a static NAT rule like this:

Src=Any Dst=Public_Address Serv=Any Src=Original Dst=Hidden_Address(static) Serv=original

then I needed a reciprocal rule like this:

Src=Hidden_Address Dst=Any Serv=Any Src=Public_Address(Static) Dst=Original Serv=original

This is what you would see if you configure NAT for the Public_Address object and have the rules created automatically.

Is this still the case?

Here's why I ask. We have a mail system which resides on a firewalled service LAN. Originally users connected to it using its public address, which was translated to the hidden address. The NAT rules are configured manually as shown above. (Please don't ask why we don't use automatic NAT).

Then the mail admins started to tell some users to connect to the hidden address. A colleague added a security rule to allow this, but left the NAT rules as they were (as above). My understanding was that this would not work, since the reciprocal rule will translate the source of any reply from the hidden address, so that the user would see the reply packet come from the public address, even though he tried to connect to the hidden address. I.e:

SYN: User ------------------------------------->Hidden Address
SYN/ACK: User<-------Public Address (NAT)<---------Hidden Address
"Eh? Who are you?"

But this is not what happens. It works whether they connect to the public address or the hidden address. There are positively no other NAT rules that can affect this, so I can only imagine that the manual static rules are stateful, and my reciprocal rule is redundant. Can anyone confirm this?

Thanks.

JR