You can actually check to see if there is any translation just by looking at the session table:
get session dst-ip X.X.X.X (X is IP of some host in the DMZ)
Look for the session that has a host from the trust.
If the session looks something like this:
id 63963/s**,vsys 0,flag 00000010/0000/0001,policy 1,time 1, dip 2 module 0
if 6(nspflag 800801):77.5.0.5/15937->192.19.50.129/1024,1,0010db558d96,sess token 4,vlan 0,tun 0,vsd 0,route 3
if 0(nspflag 10800800):192.19.51.124/1254<-192.19.50.129/1024,1,000c2924b08a,sess token 6,vlan 0,tun 0,vsd 0,route 6
If you look at the src addresses, they are different indicating that nat is taking place.
If you are seeing the nat and you did not have any policy configured. Thats because interface src nat is taking place. The trust is in nat mode eg:
NET-> get int e3 | i nat
number 6, if_info 12336, if_index 0, mode nat
and the dmz is in route mode. To disable it you need to change trust to route mode. EG:
set int e3 mode route
Then you also need to remember to configure a policy to do the src nat for all other traffic going from trust to untrust (which gets natted by default due to the interface nat) eg:
set policy top from trust to untrust any any any nat src permit
Message Edited by WL on 06-11-2009 08:50 AM