• Subject: Re: TCP Problem
  • From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
  • Date: Mon, 13 Nov 2000 22:42:48 +0100
  • Organization: EDV Beratung Rusch / EDP Consulting Rusch / Germany

Hi Jon,
Question: how will you know from outside the firewall which (private) address
you mean to reach the AS/400 behind your NAT-Address (only one (?) or do you
have a pool of addresses assigned.
Without further configuration your firewall cannot determine which host you 
want to reach inside by "pinging from outside".
As Larry perfectly described, normal firewall setup is disabling ICMP-echos
as well to make it even worse for you to test your setup.
Answers/solutions:
But, hopefully, there are some simple solutions available, the "inventors" of
NAT thought about:
You need to setup up a mapping of one of your "external" (official) addresses
to match the desired "internal" (private) addresses. Normally you map only one
port per service which is then to be performed/served by that particular host.
Lets say you have a webserver at 192.168.1.90 and a mailserver at 192.168.1.10 
and you have been assigned official adresses like 212.3.2.1 to 212.3.2.8, then 
you could do a mapping of port 80 (HTTP) to 212.3.2.1 / 192.168.1.90 and another
mapping of ports 25 (SMTP) and 110 (POP3) to 212.3.2.7 / 192.168.1.10 and so on.
For driiling deeper into NAT information have a look at:
http://www.cisco.com/warp/public/556/index.shtml

HTH, Regards from germany, Philipp Rusch


 -----------------------------------------------------------------
| EDV Beratung Rusch          EDP Consulting Rusch                |
| Philipp Rusch               Mailto: Philipp.Rusch@rusch-edv.de  |
| Am Errlich 9                WWW   : http://www.rusch-edv.de/    |
| D-61191 Rosbach,                                                |
| Germany                                                         |
| Phone: (+49) 6003 3972      Mobile : (+49) 172 89 86 230        |
| Fax  : (+49) 6003 3795                                          |
|                                                                 |
 -----------------------------------------------------------------
 

Jon.Paris@hal.it schrieb:
> 
> Can anyone point me in the right direction here.
> 
> We are having a problem PINGing our AS/400 via a NAT translation in the
> firewall.  The long term intent is to allow certain HTTP transactions to
> come through the wall and be served up by the AS/400.  As part of testing
> this we have one of the PCs set up to appear to the firewall to be coming
> from outside.  He can ping any of the PCs (and a Linux box) but the AS/400
> just doesn't respond.  If the 400 is pinged from inside the firewall or
> from outside via the VPN it responds just fine.
> 
> Any thoughts?  Any kind of logging I can turn on that would show me what is
> going on?  I'm somewhat of a TCP/IP virgin so any help welcome.
> 
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].