Static NAT ICMP... possible?

chris.howe · ‎04-06-2010

Hi guys,

I would like to set up an ICMP tunnel from the Internet into my private network, which thus requires a static ICMP NAT entry. You can do straightforward PAT for things like SSH (and any other TCP/UDP traffic) into one's network, but as ICMP doesn't have port numbers this causes problems. How do you go about implementing this in Cisco IOS? Is it even possible?

Just in case you haven't got it, the below is what I'd like to do...

Ping (source = Internet) ---> Gateway router (ping gets NAT'd) ---> Inside server (private IP) recieves ping and replies (echo reply for example)

I know the opposite direction is trivial, but can the above be done? (e.g. something similar to PAT for ICMP_

I don't have config as I haven't even got as far as "config that appears to be broken".

Cheers!

Chris

Jon Marshall · ‎04-06-2010

chris.howe wrote:
Hi guys,
I would like to set up an ICMP tunnel from the Internet into my private network, which thus requires a static ICMP NAT entry. You can do straightforward PAT for things like SSH (and any other TCP/UDP traffic) into one's network, but as ICMP doesn't have port numbers this causes problems. How do you go about implementing this in Cisco IOS? Is it even possible?
Just in case you haven't got it, the below is what I'd like to do...
Ping (source = Internet) ---> Gateway router (ping gets NAT'd) --->  Inside server (private IP) recieves ping and replies (echo reply for example)
I know the opposite direction is trivial, but can the above be done? (e.g. something similar to PAT for ICMP_
I don't have config as I haven't even got as far as "config that appears to be broken".
Cheers!
Chris

Chris

Just to clarify. Do you want to ping the destination address ie. the inside server or the source address ie. the client on the internet ?

Jon

chris.howe · ‎04-06-2010

I want to ping the inside server from the Internet (the destination).

The inside server has a private IP, so I have to ping the WAN public IP address hence the NAT.

Cheers!

Chris

Jon Marshall · ‎04-06-2010

chris.howe wrote:
I want to ping the inside server from the Internet (the destination).
The inside server has a private IP, so I have to ping the WAN public IP address hence the NAT.
Cheers!
Chris

Chris

You can only do this if you have a spare public IP address because it has to be a one-to-one NAT. It can't be a PAT because as you rightly say there are no ports for ICMP.

Do you have a spare public IP ?

Jon

chris.howe · ‎04-06-2010

A spare public IP... Unfortunately not!

The thing that confuses me though is that ICMP NAT-overload works when sourced from the inside, even though there are no port numbers, so why not Ouside --> In?

Chris

Jon Marshall · ‎04-06-2010

Chris

Because when you overload from in to out it can just randomly assign a pseudo port number to the connection even if there is no port number if that makes sense. All the router needs to do is keep track of the connection. With ICMP what it seems to do is use the identifier field in the ICMP header and record a value in there. So it's not a port in the TCP/UDP sense it is more of an identifier so the router can keep track of an ICMP session.

When you NAT from outside to in the router has to know which port or identifier the packet is destined for so you can't simply overload in the same way. Because ICMP has no ports you would have to do a one-to-one for the router to be able to know which internal server the packet was destined for. And there is no option in IOS to set an identifier and even if there was how would the client on the internet know it needed setting and indeed could set it.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.