Ben Nagy wrote:
>
> > -----Original Message-----
> > From: horio shoichi [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, 20 October 2000 4:38 AM
> > Cc: David Loysen; '[EMAIL PROTECTED]'
> > Subject: Re: Dual firewall question
> >
> >
> > I can't understand why you could ping both addresses from
> > outside NAT, either.
> >
> [snip]
> > mouss wrote:
> > >
> > > I don't see how you can ping it using the second firewall!
> > > you have an "impossible" situation.
> [snip]
>
> Well done, Dave - looks like you came up with a tricky one!
>
> I have a theory. You're doing NAT on some boxen _other_ than the webservers,
> right? I think your NAT device is maintaining an 'alias' for the IP address
> of the WWW box. In other words, when you ping those addresses the NAT box is
> responding for you to say that the box is alive. It's bizarre behaviour but
> seems to be the only one that explains the situation. Test by turning the
> WWW box off and trying to ping, maybe. My theory suggests that it would
> still work.
I reread David's post. And discovered that he didn't say the box was pinged.
Your theory, however seems to answer my question. But are you saying NAT box is
responding to echo on behalf of destination box ?
If not, why is it limited to icmp echo ? Why 'alias' is ineffective for tcp ?
>
> Anyway, that's kind of irrelevant.
Agree.
horio shoichi
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
