csthf9 >   to change settings there, so I just moved the masquerading job
csthf9 >   to FW2, and it's working now)

ok cool..

csthf9 >2) I cannot connect from any parts of the internal network to the Notes
csthf9 >   server with the real IP. (I can connect from internal network using
csthf9 >   the private IP, so I guess it is not the same problem as you stated?)
csthf9 >   Everybody is satisfied with the current configuration, but it is
csthf9 >   really ugly to get an "invalid argument" like that.  So... are
csthf9 >   there any possible solutions for this?
Ok, first of all do those machines have

(1) a route to that machine/network? since it is on another network
address apparently(real as opposed to internal)
(2) a gateway to a machine that has a route to that network?  can the
NAT'd machine ping/connect to the notes server? what happens with
traceroute ?

i spent a week or so setting up a VPN and i can feel the headaches you get
with routing! ack i hate it. (but the vpn works flawlessly :) )


csthf9 >> are you trying to access the NAT'd machine from infront of the debian 
csthf9 >> doing the NAT ?  from the looks of it you are doing NAT on only part 
csthf9 >> the network.. the desktop PCs section (?)   You will not be able to 
csthf9 >> the NAT'd machines from infront of the debian box doing the NAT even 
csthf9 >> its on the same network. If you need this functionality you need 
csthf9 >> that can do reverse NAT.
csthf9 >> i hope i understood your problem :)
csthf9 >> nate
