The main issues I see with NAT are related to pooled translations. If you
set up static NAT translations so IPSEC knows what IP addresses it is
talking to, it should work just fine. Example
10.1.1.1 is going to build a tunnel to 10.2.2.1
10.1.1.1 has a static NAT translation on site A's firewall of 192.1.1.1 ==
10.1.1.1
10.2.2.1 has a static NAT translation on site B's firewall, 192.2.2.1 ==
10.2.2.1
The IPSEC gateway at site A is told to set up a tunnel to 192.2.2.1 so it
does.
The IPSEC gateway at site B sees these coming from 192.1.1.1 and responds.
The IPSEC gateway at site A sees the connection responses from these return
packets as coming from 192.2.2.1
the gateway it wanted to talk to.
That's the first half of the connection. Now. . .
The IPSEC gateway at site B sets up the return connection to 192.1.1.1.
The IPSEC gateway at site A sees these coming from 192.2.2.1 and responds.
The IPSEC gateway at site B sees the connection responses from these return
packets as coming from 192.2.2.1
the gateway it wanted to talk to.
The only issue might be the gateway tries to set up the security
relationship in both directions in a single transaction. I might
very well pass it's true internal IP address in the session set-up. Of
course the other gateway couldn't reach that address.
Might take a bit of fiddling but you should be able to get this to work
fine.
> -----Original Message-----
> From: pdmallya [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, October 05, 1999 11:36 PM
> To: [EMAIL PROTECTED]
> Subject: IPSec & NAT
>
> Hi,
>
> I saw the archives on IPSec and NAT (nexial archives). I could not find an
> explicit answer to this one:
>
> I have a set up as follows:
>
> (special network) --- VPN G/W --- (internal network) -- f/w ---
> (Internet)
> --- f/w ---- VPN G/W ---- (sp network)
>
> In the above, (in the left side network) I would like to do a NAT of the
> VPN
> Gateway interface connecting to the internal network. Due to various
> constraints, I have to place the VPN Gateway far from the firewall ....
> there is a consdiderable amount of internal network segments etc between
> the
> Internet f/w and the VPN gateway. I would also be placing a f/w between
> the
> VPN g/w and the internal network - not shown this in the diagram above.
>
> But will IPSec allow such NAT to take place? Or is IPSec authentication
> authenticate with source IP address and will therefore not allow me to do
> NAT?
>
> Thanks & Regards
>
> Prabhakar D. Mallya
> Infosys Technologies Limited, Bangalore
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
