cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1089
Views
5
Helpful
6
Replies

NAT & ARP/PING

esadot
Level 1
Level 1

Hello,

Does defining NAT pool/addresses automatically results in (device) answering for ARP request for those addresses ? or does it mean that the device will reply for ARP-request only for the actually allocated NAT addresses ?

Regarding PING for NAT addresses. Is the device responsible for PING reply ? does the device forward the PING request to the destination host ? does it matter whether the NAT address is actually allocated or not ?

Thanks in advance,

Emek

6 Replies 6

steve.barlow
Level 7
Level 7

It will only respond to arp for allocated addresses if it is dynamic NAT, for static NAT it will answer.

The NATing device (eg firewall or router) isn't responsible for ping reply, it will forward the ping to the actual destination device (eg PC). If it is a static NAT it will be forwarded, if it's dynamic it must be allocated (or how would it know who to send the ping to, it wouldn't).

All the above assumes no access-lists.

Hope it helps.

Steve

Thanks. It helps.

Follow up questions.

Regarding PING.

In case static NAT with port redirection, i.e. destination (public) NAT address 1.1.1.1:80 to DMZ web server 2.2.2.2:80 and destination (public) NAT address 1.1.1.1:25 to DMZ email server 3.3.3.3:25. who will reply for 1.1.1.1 PING ?

Just to be sure that I am on the same page, in case of dynamic NAT the firewall/router will not answer to PING unless actual mapping is present, though the NAT address “belongs” to the firewall/router.

Thanks in advance,

Emek

No one should respond as there is no mapping for it. The only ports that are available/that will receive a response are www and smtp.

The router/firewall will not answer any ping. It will pass the ping through to the destination if there is a mapping present for it to do so.

Steve

Thanks.

Is it an acceptable behavior, client standpoint, to access web site but not to be able to ping it ?

Emek

Yes. ICMP is a big security hole and should be limited. Always close all ports except those that are necessary. When I was at financial institutions, I would always filter icmp/ping to the web servers (only allow 80 and 443). I guess it depends on the company and their level of security concern (their security policy). But I would filter it.

Steve

Thanks a lot.

Emek