Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > GENERAL DISCUSSION > Technology and Internet
Register FAQ Members List Calendar Mark Forums Read

Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions.

Reply
 
Thread Tools Display Modes
  #1  
Old 01-30-2010, 6:37 PM
bigmike82 bigmike82 is offline
Bit Pusher
CGN Contributor
 
Join Date: Jan 2008
Location: W. Los Angeles
Posts: 3,061
iTrader: 59 / 100%
Default Forwarding ICMP through a Cisco router

So I find myself having to forward ICMP through a Cisco router for monitoring purposes. Unfortunately, ICMP doesn't operate on a 'port', so the standard port natting won't work. For security and management, I can't NAT the IPs 1 to 1. I just need to forward ICMP requests from the public IP to the private.

I can't seem to find a way to do this.

Does anyone have any ideas?
__________________
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Reply With Quote
  #2  
Old 01-30-2010, 7:07 PM
8 pack's Avatar
8 pack 8 pack is offline
Junior Member
 
Join Date: Mar 2009
Posts: 29
iTrader: 1 / 100%
Default

I think static nat with an access list allowing only ICMP requests (and any other desired traffic) would work and be secure enough.
Reply With Quote
  #3  
Old 01-30-2010, 7:18 PM
bigmike82 bigmike82 is offline
Bit Pusher
CGN Contributor
 
Join Date: Jan 2008
Location: W. Los Angeles
Posts: 3,061
iTrader: 59 / 100%
Default

That won't work because that external IP needs to map to about four other private IPs. I've two windows boxes setup that I need RD access to, a linux box that does monitoring, and SNMP/ICMP to the fourth IP, which is a router down the line.
__________________
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Reply With Quote
  #4  
Old 01-30-2010, 9:31 PM
8 pack's Avatar
8 pack 8 pack is offline
Junior Member
 
Join Date: Mar 2009
Posts: 29
iTrader: 1 / 100%
Default

Is the Linux box monitoring the router that you want the ICMP requests forwarded to? If its local then you shouldn't need to forward the ICMP requests. I apologize if I am completely missing the mark here.
Reply With Quote
  #5  
Old 01-30-2010, 9:33 PM
PolishMike's Avatar
PolishMike PolishMike is offline
Calguns Addict
 
Join Date: Nov 2007
Location: Tracy
Posts: 5,716
iTrader: 24 / 96%
Default

Sounds like your flux capacitor isn't configured correctly.
__________________
Tracy Rifle and Pistol
7601 W 11th St
Tracy Ca 95304
209 833-9100
For sales Questions please email Sales@tracyrifleandpistol.com
Reply With Quote
  #6  
Old 01-30-2010, 10:12 PM
bigmike82 bigmike82 is offline
Bit Pusher
CGN Contributor
 
Join Date: Jan 2008
Location: W. Los Angeles
Posts: 3,061
iTrader: 59 / 100%
Default

That linux box isn't doing the monitoring...yet. I'm using a box that's on my local network, outside that network, for monitoring right now. That's why I need to forward ICMP.
__________________
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Reply With Quote
  #7  
Old 01-30-2010, 10:27 PM
fd15k fd15k is offline
Senior Member
 
Join Date: Mar 2008
Location: Oregon
Posts: 1,044
iTrader: 59 / 100%
Default

If you're trying to monitor latency and/or reachability to more than 1 box behind the NAT, then I think your best option is to use some "hacking". Setup UDP port forwarding, say ports 1025 and 1026 (completely arbitrary ports) to boxes A and B, and send a UDP datagram to either of those ports with payload "Hello, world!" Because you got no service listening to those datagrams on boxes either box, those boxes will respond with ICMP unreach (destination port unreachable). So instead of having ICMP echo request -> echo reply, you will have UDP dg -> ICMP unreach
Reply With Quote
  #8  
Old 02-01-2010, 6:00 PM
6172crew's Avatar
6172crew 6172crew is offline
Super Moderator
CGN Contributor - Lifetime
 
Join Date: Oct 2005
Location: Concord CA
Posts: 6,271
iTrader: 12 / 100%
Default

Does your router have an access list already applied? Maybe your to restrictive and allowing the ping may have to be before the list that is denying your packet.

Of course I'm not the pro but if I was going to look somewhere thats where I would start. You can also download a packet tracer deal that you can upload your IOS and see what or where is stopping your traffic.

The file/tracer I have is called ISO 9660 which was had from a Cisco guy and is 69MB. The app is for testing your network before turning it up but it works..at least in the classroom.
__________________

HMM-161 Westpac 1994
Reply With Quote
  #9  
Old 02-01-2010, 9:06 PM
bigmike82 bigmike82 is offline
Bit Pusher
CGN Contributor
 
Join Date: Jan 2008
Location: W. Los Angeles
Posts: 3,061
iTrader: 59 / 100%
Default

Unfortunately, it's not that simple.

The router has *no* rule that covers where to forward the ICMP packet.

Here's how it's set up.

Public IP: 1.2.3.4
Private IPs: 10.0.0.100,101,102,103

1.2.3.4:80 is NATed to 10.0.0.100
1.2.3.4:22 is NATed to 10.0.0.101
1.2.3.4:3389 is NATed to 10.0.0.102

Note that the router can route traffic to 1.2.3.4, but *none* of the interfaces have that IP, and therefore ICMP times out. Which is fine, since I don't monitor the router on that IP anyway. I need to monitor 10.0.0.103 via ICMP, and I can only use 1.2.3.4. That's where the issue is.
__________________
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Reply With Quote
  #10  
Old 02-01-2010, 9:26 PM
fd15k fd15k is offline
Senior Member
 
Join Date: Mar 2008
Location: Oregon
Posts: 1,044
iTrader: 59 / 100%
Default

So if you're pinging 1.2.3.4 and getting timeouts (while there is no specific NAT rule for ICMP), it's probably just being dropped by the firewall.
Reply With Quote
  #11  
Old 02-01-2010, 9:30 PM
bigmike82 bigmike82 is offline
Bit Pusher
CGN Contributor
 
Join Date: Jan 2008
Location: W. Los Angeles
Posts: 3,061
iTrader: 59 / 100%
Default

Nope. The packets are being dropped, but not at the firewall. The router itself is dropping the packets, because it doesn't know where to send them.
__________________
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Reply With Quote
  #12  
Old 02-01-2010, 9:35 PM
fd15k fd15k is offline
Senior Member
 
Join Date: Mar 2008
Location: Oregon
Posts: 1,044
iTrader: 59 / 100%
Default

And when you telnet into 1.2.3.4, does it timeout too ? Unless there is a NAT rule for something, router is supposed to assume traffic as addressed to itself, and handle it.
Reply With Quote
  #13  
Old 02-01-2010, 9:48 PM
nick nick is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Aug 2008
Posts: 18,188
iTrader: 138 / 100%
Default

While I never had to deal with a situation like this, echo is TCP/UDP 7, so it might be possible to overload it.

Alternatively, you can just use telnet to some other port translated to some port on the system you monitor. Or you can have the monitored system ping your monitoring system instead, and have the monitoring system record this info. Or you can send SNMP traps to the monitoring system (well, not the best of ideas, since it'll obviously go through a public network).

Finally, you can establish a VPN to that router and ping through it.

Frankly, I'd figure out some other way to monitor that system than pinging with with some sort of NAT overloading. It's ***-backwards in so many ways.
__________________
"I would rather be exposed to the inconveniences attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson
"Thou shalt not interfere with the Second Amendment rights of "law-abiding" citizens who want AK-47s only to protect hearth and home." - Paul Helmke finally gets it :)
Quote:
Originally Posted by SJgunguy24 View Post
Some people are so open minded, their brains have fallen out.


WTB: Saiga .223 bolt; HK G3 bolt; Chinese AK pistol grips; milled AK cut receiver pieces and stubs.
Reply With Quote
  #14  
Old 02-01-2010, 9:50 PM
nick nick is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Aug 2008
Posts: 18,188
iTrader: 138 / 100%
Default

There, from the horse's mouth:

http://tools.ietf.org/html/rfc862
__________________
"I would rather be exposed to the inconveniences attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson
"Thou shalt not interfere with the Second Amendment rights of "law-abiding" citizens who want AK-47s only to protect hearth and home." - Paul Helmke finally gets it :)
Quote:
Originally Posted by SJgunguy24 View Post
Some people are so open minded, their brains have fallen out.


WTB: Saiga .223 bolt; HK G3 bolt; Chinese AK pistol grips; milled AK cut receiver pieces and stubs.
Reply With Quote
  #15  
Old 02-01-2010, 9:52 PM
DiscoBayJoe's Avatar
DiscoBayJoe DiscoBayJoe is offline
Senior Member
 
Join Date: Jul 2008
Location: Discovery Bay, CA
Posts: 1,331
iTrader: 5 / 100%
Default

You will not be able to "ping" (using ICMP) 4 private devices with a single public IP address. No amount of router jockeying will allow you to break the rules (unless of course you are Chuck Norris).

Your choices:

1-to-1 NAT's

- OR -

Install a TCP based service probe on your monitoring box. That way you can test port 80, 3389, etc on each device and know not only is the box reachable but the service is up.

- OR -

Deploy a MSP-friendly management platform (Like Kaseya / LPI / N-Able), one that is designed to do service checks thru NAT. I use Kaseya. It reverses the connectivity logic..... We install a agent on each host and they check in every 30 seconds with the console. We can do a whole lot more than just checking availability of the machine/socket.
Reply With Quote
  #16  
Old 02-01-2010, 9:55 PM
nick nick is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Aug 2008
Posts: 18,188
iTrader: 138 / 100%
Default

Quote:
Originally Posted by DiscoBayJoe View Post
You will not be able to "ping" (using ICMP) 4 private devices with a single public IP address. No amount of router jockeying will allow you to break the rules (unless of course you are Chuck Norris).
Sounds like a challenge! Now I just have to try it! Lab, here I come (well, I'm sitting in it, in a manner of speaking).

ETA: I believe, he's trying to ping one of the devices, the one without a NATed service, not all 4 of them, for he has the services he can connect to on the other three.
__________________
"I would rather be exposed to the inconveniences attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson
"Thou shalt not interfere with the Second Amendment rights of "law-abiding" citizens who want AK-47s only to protect hearth and home." - Paul Helmke finally gets it :)
Quote:
Originally Posted by SJgunguy24 View Post
Some people are so open minded, their brains have fallen out.


WTB: Saiga .223 bolt; HK G3 bolt; Chinese AK pistol grips; milled AK cut receiver pieces and stubs.
Reply With Quote
  #17  
Old 02-01-2010, 10:05 PM
DiscoBayJoe's Avatar
DiscoBayJoe DiscoBayJoe is offline
Senior Member
 
Join Date: Jul 2008
Location: Discovery Bay, CA
Posts: 1,331
iTrader: 5 / 100%
Default

Quote:
Originally Posted by nick View Post
Sounds like a challenge! Now I just have to try it! Lab, here I come (well, I'm sitting in it, in a manner of speaking).

ETA: I believe, he's trying to ping one of the devices, the one without a NATed service, not all 4 of them, for he has the services he can connect to on the other three.
Oh! He only needs to ping one device.

That's not too hard.

ip nat inside source static tcp 10.0.0.100 80 1.2.3.4 80
ip nat inside source static tcp 10.0.0.101 22 1.2.3.4 22
ip nat inside source static tcp 10.0.0.102 3389 1.2.3.4 3389
ip nat inside source static 10.0.0.103 1.2.3.4

Just make sure you have a good external ACL, because all ports/protocols other than 80/22/3389 will be NAT'd to .103, including ICMP

You might be able to accomplish the same thing using the 'ip nat inside source list' command with an ACL that permits ICMP to the .103 and then the services needed to the other hosts. Either way, your only going to get "ping" to work against one of the hosts, not all 4.

Last edited by DiscoBayJoe; 02-01-2010 at 10:15 PM.. Reason: Fixed a Typo
Reply With Quote
  #18  
Old 02-01-2010, 10:30 PM
nick nick is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Aug 2008
Posts: 18,188
iTrader: 138 / 100%
Default

Wouldn't work, one of the conditions states that he can't do a 1-to-1 NAT (test mode).
__________________
"I would rather be exposed to the inconveniences attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson
"Thou shalt not interfere with the Second Amendment rights of "law-abiding" citizens who want AK-47s only to protect hearth and home." - Paul Helmke finally gets it :)
Quote:
Originally Posted by SJgunguy24 View Post
Some people are so open minded, their brains have fallen out.


WTB: Saiga .223 bolt; HK G3 bolt; Chinese AK pistol grips; milled AK cut receiver pieces and stubs.
Reply With Quote
  #19  
Old 02-01-2010, 10:49 PM
DiscoBayJoe's Avatar
DiscoBayJoe DiscoBayJoe is offline
Senior Member
 
Join Date: Jul 2008
Location: Discovery Bay, CA
Posts: 1,331
iTrader: 5 / 100%
Default

Quote:
Originally Posted by nick View Post
Wouldn't work, one of the conditions states that he can't do a 1-to-1 NAT (test mode).
Even Mr. T couldn't work under those requirements! I can understand no 1-to-1 NAT because you don't have 4 public IP's, but not because you don't trust the interface ACL.

Your problem is at layer 8 of the OSI model.
Reply With Quote
  #20  
Old 02-01-2010, 11:09 PM
nick nick is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Aug 2008
Posts: 18,188
iTrader: 138 / 100%
Default

Would that be the fleshy layer?
__________________
"I would rather be exposed to the inconveniences attending too much liberty than to those attending too small a degree of it." - Thomas Jefferson
"Thou shalt not interfere with the Second Amendment rights of "law-abiding" citizens who want AK-47s only to protect hearth and home." - Paul Helmke finally gets it :)
Quote:
Originally Posted by SJgunguy24 View Post
Some people are so open minded, their brains have fallen out.


WTB: Saiga .223 bolt; HK G3 bolt; Chinese AK pistol grips; milled AK cut receiver pieces and stubs.
Reply With Quote
  #21  
Old 02-01-2010, 11:27 PM
bigmike82 bigmike82 is offline
Bit Pusher
CGN Contributor
 
Join Date: Jan 2008
Location: W. Los Angeles
Posts: 3,061
iTrader: 59 / 100%
Default

"Unless there is a NAT rule for something, router is supposed to assume traffic as addressed to itself, and handle it."
Uhm...not in my experience with Cisco routers.

"It's ***-backwards in so many ways. "
It's not backwards at all. Ping is one of the ways I'm monitoring it, but that's what Zenoss wants in order to determine if it's up, so that's what Zenoss is going to get. The entire point of static NATing is to allow this kind of functionality with the amount of IPs as a constraint.

You did just jog my memory. I'm used to working on Windows machines, so ping for me means ICMP. I completely forgot that 'nix uses TCP/UDP...so forwarding port 7 should, in fact, work. That's my next step. Thank you.

"You might be able to accomplish the same thing using the 'ip nat inside source list' command with an ACL that permits ICMP to the .103"
This won't work. IP Nat doesn't allow ICMP as a protocol.

"Either way, your only going to get "ping" to work against one of the hosts, not all 4. "
That's fine, and is exactly what I want. Hmm....I wasn't aware that I could nat ports, and then the entire IP, and have those two work. I'll have to give that a shot as well.

I think the port 7 thing is going to be the final config. Thanks again for reminding me of that.
__________________
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Reply With Quote
  #22  
Old 02-03-2010, 8:48 AM
bigmike82 bigmike82 is offline
Bit Pusher
CGN Contributor
 
Join Date: Jan 2008
Location: W. Los Angeles
Posts: 3,061
iTrader: 59 / 100%
Default

Damn it, I'm an idiot.

PING doesn't run on TCP. There's no option that I've seen, even in Linux, to ping using port 7. Ping is always ICMP. Tracert uses either ICMP or TCP, depending on the implementation.

Damn it.
__________________
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 2:46 PM.




Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2016, Calguns.net an Incorporated Company All Rights Reserved.