RE: [FW1] Some packets do not get NATted. Have you seen this before?

[Daniel Hitchcock]

A little more detail on this:   You CAN use NAT on encrypted packets using FWZ, SKIP, and IKE with AH only (no ESP; see below) since the packets are not encapsulated - the original header will be translated.  You can also use NAT on IKE packets using ESP for encapsulation, but the NAT will apply prior to the encryption/encapsulation.  This allows you to do things like create NAT rules to pass traffic over a VPN to sites with the same addressing on both ends.   Not sure if this answers Aylton's original question, but hopefully worth at least $0.02. Dan Hitchcock CCNA, CCSE, MCSE Security Analyst Breakwater Security Associates 206.770.0700 x147 [EMAIL PROTECTED] http://www.breakwatersecurity.com -----Original Message----- From: Tim Holman [mailto:[EMAIL PROTECTED]] Sent: Friday, March 23, 2001 6:42 AM To: Aylton Souza, CISSP; fw-1-mailinglist Subject: Re: [FW1] Some packets do not get NATted. Have you seen this before? Enrypted packets (FWZ, SKIP, IKE) cannot have NAT applied, as their TCP/IP headers are encrypted, however IPSEC only encrypts the data portion, leaving the headers free for NAT manipulation. Also bear in mind that NAT won't work with protocols that use embedded IP addresses (RPC, Oracle etc), unless a Proxy has been written for them ----- Original Message ----- From: Aylton Souza, CISSP To: fw-1-mailinglist Sent: 23 March 2001 05:23 Subject: [FW1] Some packets do not get NATted. Have you seen this before? Hello friends,   I remember some time ago someone was discussing a case in which some packets do not have NAT applied.   Anyone remembers other details?   Best wishes   Aylton