1-to-1 NAT, SNAT and ping

rv@kaufmann.dkrv@kaufmann.dk
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hi,

Fireware 12.7.2U1

If i have a policy allowing ping from any external to the alias Firebox, the firebox replies back from all assigned external ip addresses when receiving a icmp packet.

  1. If i make a 1-to-1 NAT entry for one of the secondary assigned ip addresses, it stops to respond to icmp until i add the specific ip address to the above allow policy.

  2. If i create a SNAT action on one of the secondary ip adresses, it forwards the icmp packet to the internal nat´ed ip address.

Is both scenaries to be expected?

Regards
Robert

Comments

  • Bruce_BriggsBruce_Briggs

    If you don't have a specific ping policy To: the 1-to-1 NAT IP addr, I would not expect a reply from the To: Firebox policy

    My thinking on this is that when one sets up a 1-to-1 NAT, clearly you need/want a specific policy to allow packet types to the dest IP addr.
    And since you don't have ping policy allowing it, a ping should not be forwarded to the dest IP addr and thus should be denied.

  • rv@kaufmann.dkrv@kaufmann.dk

    @Bruce_Briggs said:
    If you don't have a specific ping policy To: the 1-to-1 NAT IP addr, I would not expect a reply from the To: Firebox policy

    My thinking on this is that when one sets up a 1-to-1 NAT, clearly you need/want a specific policy to allow packet types to the dest IP addr.
    And since you don't have ping policy allowing it, a ping should not be forwarded to the dest IP addr and thus should be denied.

    Makes sense, thanks.

Sign In to comment.