<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: PKCIPE server behind a NAT
From: Alessandro Baretta <alex,AT,baretta,DOT,com>
Date: Mon, 09 Jun 2003 11:09:14 +0200
Organization: Baretta srl -- www.baretta.com

I have a PKCIPE server which is protected from intrusions by a packet filtering firewall which also acts as a NAT. The NAT rules do the following:

1) DNAT all incoming TCP connections on the PKCIPE port to the PKCIPE server
2) DNAT all UDP packets coming into any one the ports reserved for CIPE to the same port on the pkcipe/cipe server box
3) SNAT all packets coming from the DMZ to the firewall's own address

Supposedly, with this setup, the PKCIPE clients should not even realize that they are talking with the server through a NAT. In reality, the client recognizes that it has to go through a NAT because no packets get through until an ICMP ping is sent from the server side to the client side.

I have now set up my ip-up scripts to send a ping after a successful pkcipe connection has been made, and this setup works very well. I just wonder why this ping is really necessary for cipe links going through a firewall, even such a transparent firewall setup as the one I described. Any ideas?


<< | Thread Index | >> ]    [ << | Date Index | >> ]