On Sun, 13 Nov 2016 10:35:29 +0100 Pascal Hambourg <pas...@plouf.fr.eu.org> wrote:
> Le 12/11/2016 à 23:32, Joe a écrit : > > > > The SNAT should not be an issue, it can handle all protocols > > transparently > > No it cannot. NAT is not possible with some IP protocols. Plain IPSec > (without NAT-T encapsulation) is the first one that comes in mind. I used to have a fair bit to do with PPTP through three or four NATs, which sometimes involved guessing what Windows equivalents of conntrack were up to. > > Also many complex protocols such as FTP or SIP (nothing exotic here) > require special support and this is not transparent as it requires > messing with the payload, not only with the packet headers. Use of > encryption with these protocoles may come in the way and defeat NAT > handling. Is ssh really a more difficult protocol to handle than http? In the context of this question, I would suggest not. I'm using 'protocol' in the small-p sense, not referring specifically to Internet Protocols. -- Joe
