Subject: Re: IPNAT confusion...
To: None <feico@pasta.cs.uit.no>
From: Andrew Gillham <gillhaa@ghost.whirlpool.com>
List: current-users
Date: 09/29/1999 07:49:01
Feico Dillema writes:
> 
> Yes, but I have problems on the NAT gateway too. Ping to certain
> hosts doesn't work anymore on the NAT gateway. Before I noticed this I
> thought the NAT would be able to discriminate between NAT-ted packets
> and ping packets originating form the NAT Gateway itself. If this is
> not true, I think I should filter ping packets from the 10.0.x.x
> network because they can prevent me fromnetwork troubleshooting
> *on* the NAT gateway...
> 
> Feico.

Use 'ipnat -F' to clear the translation table, and you should be
able to ping, etc.  You could also just map udp/tcp and eliminate
the second line of your ipnat.conf.  You might want to insert the
ftp proxy statement also, to support active ftp.

FWIW, my cisco running IPNAT supports running 'ping' from more than
one of the inside machines.  I'm assuming IOS is just keeping track
of who sends an echo-request to where, and when the echo-reply
comes back, it rewrites it, and hands it to the appropriate inside
address.  Presumably this could be done by NetBSD with something
like the 'proxy' support for ftp.

Interesting note, NetBSD/FreeBSD (and I assume OpenBSD) are all confused
about what ICMP means:
sys/netinet/ip_icmp.h:
/*
 * Interface Control Message Protocol Definitions.
 * Per RFC 792, September 1981.
 */

The word "interface" doesn't even appear in the RFC, I'm shocked we
think it belongs here. :-)

-Andrew
-- 
-----------------------------------------------------------------
Andrew Gillham                            | This space left blank
gillham@whirlpool.com                     | inadvertently.
I speak for myself, not for my employer.  | Contact the publisher.