1-to-1 NAT, SNAT and ping

rv@kaufmann.dk · June 2022

Hi,

Fireware 12.7.2U1

If i have a policy allowing ping from any external to the alias Firebox, the firebox replies back from all assigned external ip addresses when receiving a icmp packet.

If i make a 1-to-1 NAT entry for one of the secondary assigned ip addresses, it stops to respond to icmp until i add the specific ip address to the above allow policy.
If i create a SNAT action on one of the secondary ip adresses, it forwards the icmp packet to the internal nat´ed ip address.

Is both scenaries to be expected?

Regards
Robert

Bruce_Briggs · June 2022

If you don't have a specific ping policy To: the 1-to-1 NAT IP addr, I would not expect a reply from the To: Firebox policy

My thinking on this is that when one sets up a 1-to-1 NAT, clearly you need/want a specific policy to allow packet types to the dest IP addr.
And since you don't have ping policy allowing it, a ping should not be forwarded to the dest IP addr and thus should be denied.

rv@kaufmann.dk · June 2022

@Bruce_Briggs said:
If you don't have a specific ping policy To: the 1-to-1 NAT IP addr, I would not expect a reply from the To: Firebox policy

My thinking on this is that when one sets up a 1-to-1 NAT, clearly you need/want a specific policy to allow packet types to the dest IP addr.
And since you don't have ping policy allowing it, a ping should not be forwarded to the dest IP addr and thus should be denied.

Makes sense, thanks.

1-to-1 NAT, SNAT and ping

Comments