• Subject: Re: TCP Problem
  • From: Larry Bolhuis <lbolhuis@xxxxxxxxxx>
  • Date: Mon, 13 Nov 2000 14:43:08 -0500
  • Organization: Arbor Solutions, Inc

First question is if the NAT Translation is static or dynamic. If
dynamic you will never PING the AS/400 because the outside address of
the AS/400 changes each time it goes out to the web. (you also won't get
HTTP to work because you can't find the AS/400 on port 80 either)

Depending on your firewall you can static an entire address to the
aS/400 (all protocols, all ports). Firewalls such as Cisco PIX use this
strategy. In this case you would know the AS/400's address but you still
can't ping the AS/400 unless you have enabled ICMP traffic to come in
through the firewall (a command such as CONDUIT PERMIT ICMP ALL ALL will
allow incoming PING and TRACERT traffic on a PIX.) 

Other firwalls let you direct just a single port (such as port 80 for
HTTP) to the AS/400 while other ports (such as 25 for Mail or 21 for
Telnet) are directed to other Private (internal) IP addresses from the
same Public (external) IP address. This will work great for web serving
but will not allow PING to work.

In general most firewall administrators turn off the ability to PING and
TRACERT through the firewall because these tools give a hacker some part
of a view of what is inside your network. With hackers, the less they
know the better!

Hope this helps!

 - Larry

Jon.Paris@hal.it wrote:
> 
> Can anyone point me in the right direction here.
> 
> We are having a problem PINGing our AS/400 via a NAT translation in the
> firewall.  The long term intent is to allow certain HTTP transactions to
> come through the wall and be served up by the AS/400.  As part of testing
> this we have one of the PCs set up to appear to the firewall to be coming
> from outside.  He can ping any of the PCs (and a Linux box) but the AS/400
> just doesn't respond.  If the 400 is pinged from inside the firewall or
> from outside via the VPN it responds just fine.
> 
> Any thoughts?  Any kind of logging I can turn on that would show me what is
> going on?  I'm somewhat of a TCP/IP virgin so any help welcome.
> 
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---

-- 
Larry Bolhuis
Arbor Solutions, Inc.
(616) 451-2500
(616) 451-2571 -fax
lbolhuis@arbsol.com
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact [javascript protected email address].