Ping – How Ping Works from Private IP Source to Public IP Destination Without NAT

firewallipv4ispnat;ping

These are my first questions asked into this forum so could you please help me? These were asked during a job interview:

How does the ping work when we launch an ICMP echo request message from an internal LAN private IPv4 source address towards a public IPv4 destination address (example 8.8.8.8 – Google server) without enabling the NAT/PAT protocol on our default/internal gateway router?
If the ping is unsuccessful (receiving the requested timed out/time exceeded) ICMP error type, which next-hop node will prevent forwarding the traffic (ICMP control) packets towards the Internet?
Which methods we should use in order to obtain a successful echo reply ping?

I have thought of a possible answer, which I will share with you after the response in order to see if it's valid or not.

Best Answer

Private IPv4 addresses are defined by RFC1918, in which you will find:

Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error.

Without NAT/PAT, the ICMP packet will be dropped by your ISP router. Most of the time, it will be silently drop, but you may have some ICMP message back, depending of the configuration your ISP made.

To have a successful ping reply from an Internet host to a echo request originated by a private IP address there's no other option than NAT/PAT.

Related Solutions

Router – Traceroute to an internet address when I’m behind a Dynamic-PAT firewall

Yes, you're missing something. And yes, "something fancy" is going on. The router's NAT state table will map the inside-outside translation for the traceroute probe. (UDP normally) As is required for ICMP to work through any firewall, an ICMP error message will be allowed as part of an established flow. The "fancy" part is the fact the ICMP error carries the header of the packet that caused the error, so the router can match this against it's NAT table for translation to the correct host.

Note: Cisco's firewall product (ASA) will not map icmp errors unless configured to do so:

policy-map global_policy
 class inspection_default
  ...
  inspect icmp error

IOS does so without any specific configuration.

Nat – How does NAT work for large private networks

As a rule of thumb, I size my firewalls for 250 tcp sessions per user. That's on the high side right now, but as people start to use more and more cloud services (dropbox, Office365, etc, etc) the number of sessions per user is only going up in the near future, so I prefer to be on the safe side. This means a single public IP is enough to NAT for only 250 users.

If you have more users, you would need to use more public IP addresses for NAT. This is called a NAT Pool. Your firewall will use IPs from the pool to assign IP/port combinations as needed.

In Cisco IOS, you configure a NAT pool thus:

ip nat pool <name> <start-ip> <end-ip> 
 {netmask <netmask> | prefix-length <prefix-length>}
 [type {rotary}]

If you want to know everything about NAT, check out the Cisco documentation. It's an excellent read.

Best Answer

Related Solutions

Router – Traceroute to an internet address when I’m behind a Dynamic-PAT firewall

Nat – How does NAT work for large private networks

Related Topic