Can't Get to a Translated Address from a Non-Firewalled Host

[BarryStiefel]

Can't Get to a Translated Address from a Non-Firewalled Host

Contributed by PhoneBoy
Published in geeklog Saturday, May 17 2003 @ 04:57 AM EST
Published in oldfaq 2002-Nov-10 00:14 dwelchATphoneboyDOTcom



Question



I have address translation working, but I've got a particular node that I can't seem to get talking to a node on the internal network that is being address translated. Here is my network configuration:

1st Client FireWalled Gateway Router(10.0.0.2) <------>le0 qe0 <------->(203.234.222.254)<--------> WAN | (10.0.0.1) (203.238.108.2) | serial2nd Client | |(10.0.0.3) <-- (203.238.108.80)<--

My NAT rules look like this:



No. From Original
Address(Port) To Original
Address(Port) Method First Translated
Address(Port) 0 10.0.0.2 10.0.0.3 FWXT_SRC_STATIC 203.238.108.90 1 203.238.108.90 203.238.108.91 FWXT_DST_STATIC 10.0.0.2

My routing tables on the firewall look like:

Destination Gateway Flags Ref Use Interface-----------------------------------------------------------------------------127.0.0.1 127.0.0.1 UH 0 1450 lo0203.238.108.90 10.0.0.2 UGH 0 6203.238.108.0 203.238.108.2 U 3 27 le010.0.0.0 10.0.0.1 U 2 6 qe0244.0.0.0 203.238.108.2 U 3 0 le0default 203.238.108.254 UG 0 25

On the first machine, the routing table looks like:

Destination Gateway Flags Ref Use Interface-----------------------------------------------------------------------------127.0.0.1 127.0.0.1 UH 0 196 lo010.0.0.0 10.0.0.2 U 3 5 le0224.0.0.0 10.0.0.2 U 3 0 le0default 10.0.0.1 UG 0 19

The Cisco Router has the following lines in its configuration:

# show conf : :ip route 203.238.108.90 255.255.255.255 203.238.108.2ip route 203.238.108.91 255.255.255.255 203.238.108.2 : :

I can ping in both direction between hosts on my WAN and 203.238.108.90, but I can't ping from a host outside the firewall at 203.238.108.80. What am I missing here?

Answer

From the "near" side of the firewall, all traffic goes to the WAN okay because routing is functioning okay at the gateway and the internal nodes know how to get traffic there. The traffic coming back from the WAN must go thru the router, which knows how to get traffic back to those translated address (thanks to the static host routes).



What has not been addressed here is the machines between the firewall and the WAN router. When 203.238.108.80 wants to send a packet to 203.238.108.90 (one of your translated addresses), it needs to know where to go. Because .80 and .90 are on the same subnet (logically), .80 sends out an ARP request ("Who is 203.238.108.90?") looking for a MAC address to send to. Nothing is answering this request, so it fails.

What you should be doing instead of the static host routes on the router is "Proxy ARPs" on your firewall machine. See Routing and ARP issues with NAT for more details.

-- RayLodato - 07 Jan 2004

FAQForm FAQs.Class: NetworkAddressTranslationFAQs FAQs.OS: FAQs.Version: