Filipe Brandenburger wrote: > Hi Ward, > > On Thu, Feb 19, 2009 at 20:27, <Ward.P.Fontenot at wellsfargo.com> wrote: >> I add that and telnet to the port on BOX A and get >> Trying 192.168.0.1... >> telnet: connect to address 192.168.0.1: Connection refused >> I can telnet to that port on BOX B and get a successful connection. > > The problem is that when BOX B responds, it will respond with a > 192.168.0.2 source IP, and that will only work if it goes through BOX > A again (for the DNAT to do the address translation back to > 192.168.0.1). > > In short, this will only work if traffic goes back to the source through BOX A. > > For instance, this will NOT happen if the host that is connecting to > the forwarded port is in the same subnet as hosts BOX A and BOX B. > > This will also NOT happen if BOX A is not the default gateway of BOX > B, or there is somehow another configuration that routes the return > packets through BOX A (like using an SNAT combined with the DNAT to > make the connections look like they are coming from BOX A). A "Connection refused" response indicates that the reply path is working. If there is no response, telnet will just sit and wait, eventually displaying a "Connection timed out" message when the connection times out from the SYN_SENT state (typically about 3 minutes). -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.