IPSec with ESP can be successfully NAT'ed, but if you are using IPSec with
AH (authentication header), you cannot masquerade the traffic because each
packet contains the client's IP address hashed with a cryptographic
checksum. No NAT box will be able to proxy this.
I don't know about the commercial firewalls out there, but linux can
masquerade IPSec and PPTP just fine :-)
-Jason
On Wed, 6 Oct 1999, pdmallya wrote:
> Date: Wed, 6 Oct 1999 12:06:00 +0530
> From: pdmallya <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: IPSec & NAT
>
> Hi,
>
> I saw the archives on IPSec and NAT (nexial archives). I could not find an
> explicit answer to this one:
>
> I have a set up as follows:
>
> (special network) --- VPN G/W --- (internal network) -- f/w --- (Internet)
> --- f/w ---- VPN G/W ---- (sp network)
>
> In the above, (in the left side network) I would like to do a NAT of the VPN
> Gateway interface connecting to the internal network. Due to various
> constraints, I have to place the VPN Gateway far from the firewall ....
> there is a consdiderable amount of internal network segments etc between the
> Internet f/w and the VPN gateway. I would also be placing a f/w between the
> VPN g/w and the internal network - not shown this in the diagram above.
>
> But will IPSec allow such NAT to take place? Or is IPSec authentication
> authenticate with source IP address and will therefore not allow me to do
> NAT?
>
> Thanks & Regards
>
> Prabhakar D. Mallya
> Infosys Technologies Limited, Bangalore
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
