NAT uses an IP address port number combination to hash the outgoing requests. Since ping requests consist of ICMP echo request packets, they do not have any associated port number. How does a NAT server forward the replies to the hosts inside the network?
asked Apr 27, 2010 at 8:32
-
3RFC 5508– dbasnettCommented May 9, 2010 at 23:46
Add a comment
|
2 Answers
For ICMP query/reply type messages like Echoes (pings), NAPT uses the ICMP Query ID (sometimes just called the ICMP ID) the same way it would use a TCP or UDP port number.
For ICMP error messages such as Destination Unreachable, it uses the ICMP packet's internal copy of the headers of the frame that caused the error to figure out which mapping in the NAT table to use to translate it.
These procedures are referenced briefly in several NAT-related RFCs, but I had a hard time finding one that explicitly spelled out the procedure. See "Traditional NAT", RFC3022, section 4.1.
This doesn't conflict with any TCP or UDP mapping because in a good NAPT implementation, the protocol is one of the pieces of information held in the NAT table entry to make it unique.
-
1
-
what if ICMP id clashes with a port number that my process is using. Commented Apr 27, 2010 at 9:34
-
@iamrohitbanga OK I expanded my answer to cover your further questions.– SpiffCommented Apr 27, 2010 at 15:06
I did a small simulation (based on GSN3 Kali Linux CLI appliance), to check what happens when ICMP clashes (apparently, it could be vendor specific):
On ICMP requests/response Before NAT is shown the situation, when Identifiers of ICMP requests from 2 devices (with IPs 10.0.0.1 and 10.0.0.2 respectfully) become equal.
At the same time on ICMP requests/response After NAT is shown that the Identifier of the clashing ICMP session is changed to 0 by the NAT, and is incremented from there on.
As a summary it can be said that the Linux NAT handles the clashing of ICMP identifiers on its on (As the ICMP identifiers are not changed before the NAT).
