I have a PKCIPE server which is protected from intrusions by
a packet filtering firewall which also acts as a NAT. The
NAT rules do the following:
1) DNAT all incoming TCP connections on the PKCIPE port to
the PKCIPE server
2) DNAT all UDP packets coming into any one the ports
reserved for CIPE to the same port on the pkcipe/cipe server box
3) SNAT all packets coming from the DMZ to the firewall's
own address
Supposedly, with this setup, the PKCIPE clients should not
even realize that they are talking with the server through a
NAT. In reality, the client recognizes that it has to go
through a NAT because no packets get through until an ICMP
ping is sent from the server side to the client side.
I have now set up my ip-up scripts to send a ping after a
successful pkcipe connection has been made, and this setup
works very well. I just wonder why this ping is really
necessary for cipe links going through a firewall, even such
a transparent firewall setup as the one I described. Any ideas?