It has just occured to me that if two machines pinged another at the
same (within a few ms) then the response is likely to be the same.
So... even if the replys returned in the opposite order to that in
which they were sent, then the client machines would still get the
right answer (ie the host is up)
Make sense?
Cheers,
Mark.
-----Original Message-----
From: Mike Glassman - Admin [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, February 27, 2001 2:03 PM
To: 'Mark Watts'
Cc: 'fw-gnac list'
Subject: RE: about icmp packet after NAT
Not that I'm an expert or anything, but it seems to me that logic
dictates
that the PAT machine can't handle both pings at exactly the same time,
and
so each would still work as if only one machine pinged...twice. Nor
would
the requests arive at exactly the same time.
Just my thoughts.
Mike
> -----Original Message-----
> From: Mark Watts [SMTP:[EMAIL PROTECTED]]
> Sent: a oaoaao 27 2001 16:02
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: about icmp packet after NAT
>
> Ok,
>
> For Ping to succeed from one of your internal machines to an external
> machine (through PAT) your PAT implementation has to keep state.
>
> This means that it keeps a lookup of source IP address to dest IP
> address.
> So, your ICMP echo request goes from your internal machine through
the
> PAT machine (which notes that a "connection" is being initiated to an
> external address. Also, the PAT changes the source of the request to
be
> the external interface of the PAT) and then on to the destination.
> The reply comes back to the external interface of the PAT which looks
> down its list of connections and notes that anything comming from
> external address yyy is to be forwarded to internal address aaa.
>
> This is a similar thing to what happens in some routers (after all -
if
> you ping another machine, chances are you don't have a single hop
> between you and it).
>
> One thing I'm not sure of (and perhaps someone can enlighten me??) is
> what happens when two internal addresses ping the same machine at the
> same time. Would you end up with two entries for the same external
> address?
>
> Hope this helps,
>
> Mark Watts.
>
> NB: "connection" is a loose sense of the word when dealing with UDP
> packets like ping.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, February 27, 2001 1:31 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: about icmp packet after NAT
>
>
>
> I haven't understood .
> i means that :
> example:
> tow machines which behind firewall useing PAT
> (the internal ip address 192.168.0.5 and 192.168.0.6)
> begin to ping the same outside adress (200.x.x.x or any) ,
> how does the pnat-firewall distinguish the reply icmp packets and
> forward
> the packets to the correct desting address where requested. if
> can't ,the
> request
> can't get the correct information ,etc the time. I studied the
> knowledge of tcp/ip, but i thought the icmp packets don't have
> enough
> information
> for distinguish it, and if using tcp ,the packet can use different
> source
> ports to
> distinguish between the different source addresses.
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
