Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
5
Helpful
6
Replies

NAT & ARP/PING

esadot
Level 1
Level 1

‎10-23-2002 05:58 AM - edited ‎03-09-2019 12:47 AM

Hello,

Does defining NAT pool/addresses automatically results in (device) answering for ARP request for those addresses ? or does it mean that the device will reply for ARP-request only for the actually allocated NAT addresses ?

Regarding PING for NAT addresses. Is the device responsible for PING reply ? does the device forward the PING request to the destination host ? does it matter whether the NAT address is actually allocated or not ?

Thanks in advance,

Emek

Labels:
0 Helpful
6 Replies 6

steve.barlow
Level 7
Level 7

‎10-23-2002 06:30 AM

It will only respond to arp for allocated addresses if it is dynamic NAT, for static NAT it will answer.

The NATing device (eg firewall or router) isn't responsible for ping reply, it will forward the ping to the actual destination device (eg PC). If it is a static NAT it will be forwarded, if it's dynamic it must be allocated (or how would it know who to send the ping to, it wouldn't).

All the above assumes no access-lists.

Hope it helps.

Steve

esadot
Level 1
Level 1
In response to steve.barlow

‎10-23-2002 08:22 AM

Thanks. It helps.

Follow up questions.

Regarding PING.

In case static NAT with port redirection, i.e. destination (public) NAT address 1.1.1.1:80 to DMZ web server 2.2.2.2:80 and destination (public) NAT address 1.1.1.1:25 to DMZ email server 3.3.3.3:25. who will reply for 1.1.1.1 PING ?

Just to be sure that I am on the same page, in case of dynamic NAT the firewall/router will not answer to PING unless actual mapping is present, though the NAT address “belongs” to the firewall/router.

Thanks in advance,

Emek

0 Helpful

steve.barlow
Level 7
Level 7
In response to esadot

‎10-23-2002 09:15 AM

No one should respond as there is no mapping for it. The only ports that are available/that will receive a response are www and smtp.

The router/firewall will not answer any ping. It will pass the ping through to the destination if there is a mapping present for it to do so.

Steve

0 Helpful

esadot
Level 1
Level 1
In response to steve.barlow

‎10-23-2002 01:36 PM

Thanks.

Is it an acceptable behavior, client standpoint, to access web site but not to be able to ping it ?

Emek

0 Helpful

steve.barlow
Level 7
Level 7
In response to esadot

‎10-23-2002 03:16 PM

Yes. ICMP is a big security hole and should be limited. Always close all ports except those that are necessary. When I was at financial institutions, I would always filter icmp/ping to the web servers (only allow 80 and 443). I guess it depends on the company and their level of security concern (their security policy). But I would filter it.

Steve

0 Helpful

esadot
Level 1
Level 1
In response to steve.barlow

‎10-23-2002 11:25 PM

Thanks a lot.

Emek

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents