I suspect what you meant to say was the IP addresses associated with the original packet are not modified by NAT since the original packet is fully encapsulated within the UDP(or TCP as mentioned by Adam) packet. In fact the UDP headers are changed to reflect the NATed IP address. If NAT was to be done on th original packet it would invalidate the secure envelope when the packet checksum changed due to the new IP address. Sorry to split hairs, but in this case it is an important difference. Level one TAC is not always "In the Know" (they are human too). When this happens ask them to escalate.
Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: Clifford Thurber [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 2:43 PM To: Brian Browne; Groomes Jay; [EMAIL PROTECTED] Subject: RE: RSCS0 10000/UDP This is for UDP encapsulation of machines behind the device that are being NATd. NAT generaly reeks havoc on IPsec since it changes the headers, by tunneling in a UDP packets you can get around this as the UDP header does not change. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
