6

It it possible for a PC behind a NAT ping to a device that is on the outside of the NAT and get a successful response? (assuming the firewall permits it)

This is a Cisco RV 120W router

700 Software
  • 2,233
  • 10
  • 49
  • 77
  • Possible? Yes. Possible with that model? Don't know. Have you tried? – John Gardeniers Jan 14 '11 at 21:35
  • Have not tried, would be awkward to try as none of our routers permit pings and this one was not functioning properly to begin with. All resolved now. The answer is yes (with this model) @John – 700 Software Feb 07 '11 at 22:07

4 Answers4

6

I don't see why not as long as the router/firewall allows outbound ICMP and the inbound responses.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • 2
    bear in mind that icmp doesn't have ports so while you can have a server behind the nat for every external ip:port combination, you could only ping 1 server for each external ip – JamesRyan Jan 14 '11 at 19:35
  • 1
    @JR: I don't follow... – joeqwerty Jan 14 '11 at 19:42
  • 3
    @Joe - ICMP is its own protocol under IP, just like TCP is also a protocol under IP. You can only forward the protocol (or not) to a host inside the NAT, unlike the way that you can forward different TCP ports to different inside hosts. – mfinni Jan 14 '11 at 20:51
  • 1
    @mfinni, that would certainly be a problem for pings directed to a target behind NAT but is not a factor for the source being behind NAT. I'm pretty sure we've all quite successfully pinged remote targets from behind NAT. I know I do so regularly. – John Gardeniers Jan 14 '11 at 21:33
  • @John - of course. I was answering Joe's "i don't follow" directed at @JamesRyan, which was a deviation from the original question. – mfinni Jan 14 '11 at 21:46
  • @mfinni, sorry. I often see joequery abbreviated to Joe and misread the intention. – John Gardeniers Jan 14 '11 at 21:54
1

It is quite possible, the router just has to allow it. I don't know that specific router though.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
1

Yes. As long as the router allows the Ping request to pass outbound and properly tracks the request so that it can return. Most routers I have dealt with handle this correctly. Pings in though a Firewall (NAT or not) are often blocked.

There are tools which manipulate TCP packets to generate ICMP failures to provide the equivalent functionality through a Firewall.

BillThor
  • 27,737
  • 3
  • 37
  • 69
0

The ICMP protocol has to be allowed though the routing devices.

If you have some doubt, you can run the traceroute (Linux) or tracert (Windows) command, to see up to which device the ICMP protocol is allowed.

  tracer[ou]t[e] IPaddressOrDomain

While you see 

  IP/Domain  time1 time2 time3

the protocol goes through.
But when you see a series of (or infinite)

  * * *

the protocol is dropped/blocked or a device on the way back prevents the protocol to be routed.

Déjà vu
  • 5,546
  • 9
  • 36
  • 55
  • 2
    Not so. The **** means that THAT device doesn't RESPOND to ICMP traffic, it does not meant that device BLOCKS ICMP traffic. – joeqwerty Jan 14 '11 at 18:53