Does defining NAT pool/addresses automatically results in (device) answering for ARP request for those addresses ? or does it mean that the device will reply for ARP-request only for the actually allocated NAT addresses ?
Regarding PING for NAT addresses. Is the device responsible for PING reply ? does the device forward the PING request to the destination host ? does it matter whether the NAT address is actually allocated or not ?
It will only respond to arp for allocated addresses if it is dynamic NAT, for static NAT it will answer.
The NATing device (eg firewall or router) isn't responsible for ping reply, it will forward the ping to the actual destination device (eg PC). If it is a static NAT it will be forwarded, if it's dynamic it must be allocated (or how would it know who to send the ping to, it wouldn't).
In case static NAT with port redirection, i.e. destination (public) NAT address 126.96.36.199:80 to DMZ web server 188.8.131.52:80 and destination (public) NAT address 184.108.40.206:25 to DMZ email server 220.127.116.11:25. who will reply for 18.104.22.168 PING ?
Just to be sure that I am on the same page, in case of dynamic NAT the firewall/router will not answer to PING unless actual mapping is present, though the NAT address belongs to the firewall/router.
Yes. ICMP is a big security hole and should be limited. Always close all ports except those that are necessary. When I was at financial institutions, I would always filter icmp/ping to the web servers (only allow 80 and 443). I guess it depends on the company and their level of security concern (their security policy). But I would filter it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :