when an outbound packet arrives at a pix firewall higher security level interface (security levels can be viewed with the show nameif command), the pix firewall checks to see if the packet is valid based on the adaptive security algorithm, and then whether or not previous packets have come from that host. if not, then the packet is for a new connection, and pix firewall creates a translation slot in its state table for the connection. the information that pix firewall stores in the translation slot includes the inside ip address and a globally unique ip address assigned by network address translation (nat), port address translation (pat), or identity (which uses the inside address as the outside address). the pix firewall then changes the packet's source ip address to the globally unique address, modifies the checksum and other fields as required, and forwards the packet to the lower security level interface.

    when an inbound packet arrives at an external interface such as the outside interface, it first passes the pix firewall adaptive security criteria. if the packet passes the security tests, the pix firewall removes the destination ip address, and the internal ip address is inserted in its place. the packet is forwarded to the protected interface.