Re: nat problem

Wed, 26 Aug 2009 07:37:26 -0700 

> What I need is to be able to specify instead of "any" only routable
> address ranges. Maybe something like:
> map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 ->
> 10.0.133.102/32

Hi, Steve,

  You can use subnet notation, i.e. we have rules like these
on Solaris 8 x86, IPF 4.1.28:

1) Don't NAT to a different address (pass packets as is) when
routing to a specific destination subnet (segments of LAN):
map elxl1 from 192.168.129.0/24 to 149.49.64.0/24 -> 0.0.0.0/0
map elxl1 from 192.168.119.0/24 to 192.168.130.0/23 -> 0.0.0.0/0

2) Do NAT certain SRCs going to certain DSTs (remote partner's
office over VPN, they don't know of our 192.168.* addresses):
map elxl1 from 192.168.117.0/24 to 10.1.0.0/16 -> 195.66.181.161/32

3) Do NAT certain SRCs going to "anywhere except certain DSTs":
map elxl1 from 192.168.129.128/27 ! to 192.168.42.0/24 -> 195.66.181.113/32

Hope these live examples help...

Steve Clark пишет:

Hi Darren,
I am running into a problem with ipnat on linux when using gre over ipsec. I have gre tunnels which use non routable address endpoints which are tunneled over ipsec to run ospf.
my normal ipnat config looks like this on FreeBSD which works but doesn't on linux: map eth1 from 10.254.1.0/24 to any port=21 -> 10.0.133.102/32 proxy port 21 ftp/tcp map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32 portmap tcp/udp 40000:60000 
map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
The problem is in linux the esp encapulation happens last so anything going across the gre's is being natted.
What I need is to be able to specify instead of "any" only routable address ranges. Maybe something like: map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 -> 10.0.133.102/32 

Or am I missing something and there is already a way to do this?

BTW if i remove the map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
then my gre's work but I can't ping the internet cause the icmp is not mapped. 

Thanks for any advice,
Steve



--


+============================================================+
|                                                            |
| Климов Евгений,                                 Jim Klimov |
| технический директор                                   CTO |
| ЗАО "ЦОС и ВТ"                                  JSC COS&HT |
|                                                            |
| +7-903-7705859 (cellular)          mailto:[email protected] |
|                          CC:[email protected],[email protected] |
+============================================================+
| ()  ascii ribbon campaign - against html mail              |
| /\                        - against microsoft attachments  |
+============================================================+

Reply via email to