Ok,
For Ping to succeed from one of your internal machines to an external
machine (through PAT) your PAT implementation has to keep state.
This means that it keeps a lookup of source IP address to dest IP
address.
So, your ICMP echo request goes from your internal machine through the
PAT machine (which notes that a "connection" is being initiated to an
external address. Also, the PAT changes the source of the request to be
the external interface of the PAT) and then on to the destination.
The reply comes back to the external interface of the PAT which looks
down its list of connections and notes that anything comming from
external address yyy is to be forwarded to internal address aaa.
This is a similar thing to what happens in some routers (after all - if
you ping another machine, chances are you don't have a single hop
between you and it).
One thing I'm not sure of (and perhaps someone can enlighten me??) is
what happens when two internal addresses ping the same machine at the
same time. Would you end up with two entries for the same external
address?
Hope this helps,
Mark Watts.
NB: "connection" is a loose sense of the word when dealing with UDP
packets like ping.
-----Original Message-----
From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, February 27, 2001 1:31 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: about icmp packet after NAT
I haven't understood .
i means that :
example:
tow machines which behind firewall useing PAT
(the internal ip address 192.168.0.5 and 192.168.0.6)
begin to ping the same outside adress (200.x.x.x or any) ,
how does the pnat-firewall distinguish the reply icmp packets and
forward
the packets to the correct desting address where requested. if
can't ,the
request
can't get the correct information ,etc the time. I studied the
knowledge of tcp/ip, but i thought the icmp packets don't have
enough
information
for distinguish it, and if using tcp ,the packet can use different
source
ports to
distinguish between the different source addresses.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
