04-07-2011 12:30 AM
I have successful to build up a DIP which can translate my internal IP to external IP pool. E.g
192.168.80.0/24 ---> 22.214.171.124 ~ 25
Although the internal IP can access to Internet. However, sometime the Internet are require to trace back to check is it my host is available not, but its fail because it could not ping back for those external IP. Is it true and how can I enable it?
04-09-2011 02:40 AM
DIP's only translate addresses for outgoing connections, not incoming like a ping from the untrust side. For incoming you have to use MIP's, VIP's or NAT-dst.
A MIP is actually a one-to-one mapping that works in both directions and is the easiest to implement. See this KB-article for a description:
Because it is a one to one mapping you need an external IP for every server on the trust side. If you don't have that many external IP's available you are forced to use VIP's or NAT-dst.
VIP's can be used for port forwarding. See this KB-article for more information:
But this doesn't work for ping (ICMP doesn't have port numbers). You can use NAT-dst for that:
To only allow pings the example would look like this:
set interface ethernet0/0 zone trust
set interface ethernet0/1 zone untrust
set interface ethernet0/1 ip 126.96.36.199/24
set arp nat-dst
set address untrust server-pub 188.8.131.52/32
set policy from untrust to untrust any server-pub "PING" nat dst ip 192.168.1.100 permit