NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Cannot ping public address



You should install another NIC in your Firewall ASAP. Shame on you for Natting internal hosts to public addresses. Not only can you not ping them, once they are exploited the attacker is on your internal net with nothing stopping him/her.
-----Original Message-----
From: Tony Wong [mailto:[email protected]]
Sent: Wednesday, March 07, 2001 7:21 PM
To: [email protected]
Subject: [FW1] Cannot ping public address

I am trying to understand why my machines on the internal network with internal ip addresses 192.168.0.X cannot ping the public addresses of the statically nated machines also on the same internal network same subnet. Static nat is setup on the firewall itself with 2 Nics.
 
Outside can access these static natted servers with no problems. the problem is pinging these servers from the internal network.
 
ex 192.168.0.5 cannot ping public ip address 1.2.3.4 which is the public address of 192.168.0.10. 192.168.0.5 however can ping 192.168.0.10.
 
 
halfway down the page it talks about rules being reversed and that is exactly how my rules are setup:
 
here is part of it:
 
1.    Local-Net                           Local-Net            ANY            =orig                            =orig                    =orig
2.    Local-Net                            Any                    Any            fw-public-ip(Hide)            =orig                    =orig
3.    192.168.0.10(private ip of server)                    ANY              ANY            1.2.3.4(public ip of server)     =orig
4.    ANY           1.2.3.4 (public ip of server)      ANY              =orig          192.168.0.10 (private ip of server)  =orig
 
So if 192.168.0.2 pings 1.2.3.4, it is actually rule 2 that will come into play. Source ip will change to that of the firewall external ip (1.2.3.1). Destination will stay the same. So it is actually 1.2.3.1 pinging 1.2.3.4.
 
Now i am confused about the reply packet. it needs to reply back to 192.168.0.5. What rule will make that happen?
or is it possible to get the reply packet back to the private host that originated the packet?
 
Thank you
 
 
 
 
 


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.