From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: "Vernon A. Fort" <vfort@provident-solutions.com>,
netfilter@lists.netfilter.org
Subject: Re: IP Nat or forward
Date: Wed, 6 Apr 2005 15:34:08 -0500 [thread overview]
Message-ID: <001d01c53ae7$fbbd22e0$f5001eac@riverview.office> (raw)
In-Reply-To: 42542F33.8010501@provident-solutions.com
Ok, one of us is not understanding the other, and it is likely me. Normal
IPSec VPNs run on a netowrk as such:
[Host A] --- LAN --- [Host B] .... (INET) .... [Host C] --- LAN --- [Host D]
Where the LAN between Host A and Host B is one IP subnet and the LAN between
Host C and Host D is another IP subnet, prefferably different than the IP
subnet on the first LAN. The VPN in this scenario would be between Host B
and Host C. Let's suppose that the hosts have the following IP addresses:
Host A's LAN IP address is 172.16.1.1
Host B's LAN IP address is 172.16.1.254
Host B's INet IP address is 12.34.56.78
Host C's INet IP address is 87.65.43.21
Host C's LAN IP address is 172.31.255.254
Host D's LAN IP address is 172.31.255.1
In this case the IPSec VPN would be between Host B's INet address of
12.34.56.78 and Host C's INet address of 87.65.43.21. As far as what
traffic would and would not be NATed, you would NAT all traffic going out to
the INet from Host B's INet IP address of 12.34.56.78 except the IPSec VPN
traffic. More information on how to NAT all traffic but the IPSec VPN
traffic is avaliable with your IPSec VPN software. Ask if you need more
help configuring your NATing on Host B and / or Host C. You (or your
counter part an the other LAN would NAT all traffic going out to the INet
from Host C's INet IP address of 87.65.43.21 except the IPSec VPN traffic.
Because you have the VPN passing traffic from one LAN to the other LAN you
don't normaly need to NAT the traffic at all except for in your case you
have the same IP subnet on both LANs which will mess up normal routing and
thus you have to augment it via NATing. I hope this helps clear up some
things for you.
Grant. . . .
> Thanks! I want to make sure I understand the IPSEC and NAT. I'm
> connecting a PUBLIC address to my FIREWALL but NOT including the gateway
> address:
>
> 66.83.239.66 -> IPSEC -> 192.168.90.1 # a host to host / ip to
> ip VPN
> THEN
> NAT 192.168.90.1 to 192.168.1.1
>
> Since the NAT takes place AFTER the IPSEC traffic, do I really need the
> NAT-T enabled?
>
> Do I just aliase the 192.168.90.1 address or should I do a VLAN?
>
> Vernon
>
>
next prev parent reply other threads:[~2005-04-06 20:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-06 18:15 IP Nat or forward Vernon A. Fort
2005-04-06 19:38 ` Taylor, Grant
2005-04-06 18:49 ` Vernon A. Fort
2005-04-06 20:34 ` Taylor, Grant [this message]
2005-04-07 13:18 ` Vernon A. Fort
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001d01c53ae7$fbbd22e0$f5001eac@riverview.office' \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
--cc=vfort@provident-solutions.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox