10-23-2002 05:58 AM - edited 03-09-2019 12:47 AM
Hello,
Does defining NAT pool/addresses automatically results in (device) answering for ARP request for those addresses ? or does it mean that the device will reply for ARP-request only for the actually allocated NAT addresses ?
Regarding PING for NAT addresses. Is the device responsible for PING reply ? does the device forward the PING request to the destination host ? does it matter whether the NAT address is actually allocated or not ?
Thanks in advance,
Emek
10-23-2002 06:30 AM
It will only respond to arp for allocated addresses if it is dynamic NAT, for static NAT it will answer.
The NATing device (eg firewall or router) isn't responsible for ping reply, it will forward the ping to the actual destination device (eg PC). If it is a static NAT it will be forwarded, if it's dynamic it must be allocated (or how would it know who to send the ping to, it wouldn't).
All the above assumes no access-lists.
Hope it helps.
Steve
10-23-2002 08:22 AM
Thanks. It helps.
Follow up questions.
Regarding PING.
In case static NAT with port redirection, i.e. destination (public) NAT address 1.1.1.1:80 to DMZ web server 2.2.2.2:80 and destination (public) NAT address 1.1.1.1:25 to DMZ email server 3.3.3.3:25. who will reply for 1.1.1.1 PING ?
Just to be sure that I am on the same page, in case of dynamic NAT the firewall/router will not answer to PING unless actual mapping is present, though the NAT address belongs to the firewall/router.
Thanks in advance,
Emek
10-23-2002 09:15 AM
No one should respond as there is no mapping for it. The only ports that are available/that will receive a response are www and smtp.
The router/firewall will not answer any ping. It will pass the ping through to the destination if there is a mapping present for it to do so.
Steve
10-23-2002 01:36 PM
Thanks.
Is it an acceptable behavior, client standpoint, to access web site but not to be able to ping it ?
Emek
10-23-2002 03:16 PM
Yes. ICMP is a big security hole and should be limited. Always close all ports except those that are necessary. When I was at financial institutions, I would always filter icmp/ping to the web servers (only allow 80 and 443). I guess it depends on the company and their level of security concern (their security policy). But I would filter it.
Steve
10-23-2002 11:25 PM
Thanks a lot.
Emek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide