no nat please

no nat please

[Payal Rathod]

Hi,
I use simple masquerading to allow my windows clients to browse the
net. But for one particular machine I need to connect it to VPN of
my client abroad. Now, the tech people at their end told me not
to nat that machine as nating would destroy the VPN part. How do I do that?
The machine IP address is 192.168.10.15.

With warm regards,
-Payal

Re: no nat please

[Jason Opperisano]

On Thu, 2004-11-04 at 12:07, Payal Rathod wrote:
> Hi,
> I use simple masquerading to allow my windows clients to browse the
> net. But for one particular machine I need to connect it to VPN of
> my client abroad. Now, the tech people at their end told me not
> to nat that machine as nating would destroy the VPN part. How do I do that?
> The machine IP address is 192.168.10.15.
> 
> With warm regards,
> -Payal

insert a rule BEFORE your outbound MASQ rule

  iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

that says:

  iptables -t nat -A POSTROUTING -o $EXT_IF \
    -s 192.168.10.15 -d $REMOTE_VPN_NET -j ACCEPT

is this a site-to-site VPN between your firewall and their firewall?  if
not--ignore the above statements.

-j

--
"'Nuke the whales?' You don't really believe that, do you?
 I dunno. Gotta nuke something."
	--The Simpsons

Re: no nat please

[Les Mikesell]

On Thu, 2004-11-04 at 11:07, Payal Rathod wrote:

> I use simple masquerading to allow my windows clients to browse the
> net. But for one particular machine I need to connect it to VPN of
> my client abroad. Now, the tech people at their end told me not
> to nat that machine as nating would destroy the VPN part. How do I do that?
> The machine IP address is 192.168.10.15.

If they are using IPsec for the VPN you generally can't use it
behind NAT and you have to set it up to work from the device
that has the public address.   However there is a new standard
for NAT traversal for IPsec and a recent Windows update adds
it for win2k and XP.   I don't know if it needs additional support
at the NAT gateway or if you need matching versions at both
ends, though.

---
  Les Mikesell
   les@futuresource.com

Re: no nat please

[Bosse Klykken]

On Thu, Nov 04, 2004 at 11:56:54AM -0600, Les Mikesell wrote:
> However there is a new standard
> for NAT traversal for IPsec and a recent Windows update adds
> it for win2k and XP.   I don't know if it needs additional support
> at the NAT gateway or if you need matching versions at both
> ends, though.

Yes, IPSEC borks when one of the endpoints goes through NAT. I agree
with Les, you seem to need NAT-T, and both the server and client need
to support this, so check your VPN documentation.

I don't think that there's any need in configuring anything specific
on the NAT gateway, as long as the firewall allows UDP port 4500
(NAT-T) to flow.

.../Bosse
-- 
Bosse Klykken - http://www.klykken.com/~bosse
Keep staring. I might do a trick.

RE: no nat please

[Daniel Chemko]

Payal Rathod wrote:
> Hi,
> I use simple masquerading to allow my windows clients to browse the
> net. But for one particular machine I need to connect it to VPN of
> my client abroad. Now, the tech people at their end told me not
> to nat that machine as nating would destroy the VPN part. How do I do
> that? The machine IP address is 192.168.10.15.


You have to NAT that address or else you're looking at a very large
change the firewall to get it to work. Even then it'd be a kludge. The
best ideal would be to NAT and figure out how to support the VPN tunnel
through the firewall. Linux has support for IPSEC/PPTP/L2TP, any other
VPN-like products, who knows. Maybe if you gave some more information,
we could give you a more articulate answer.