A
little more detail on this:
You
CAN use NAT on encrypted packets using FWZ, SKIP, and IKE with AH only (no ESP;
see below) since the packets are not encapsulated - the original header will be
translated. You can also use NAT on IKE packets using ESP for
encapsulation, but the NAT will apply prior to the
encryption/encapsulation. This allows you to do things like create NAT
rules to pass traffic over a VPN to sites with the same addressing on both
ends.
Not
sure if this answers Aylton's original question, but hopefully worth at least
$0.02.
Enrypted packets (FWZ, SKIP, IKE) cannot have NAT applied,
as their TCP/IP headers are encrypted, however IPSEC only encrypts the data
portion, leaving the headers free for NAT manipulation.
Also bear in mind that NAT won't work with protocols that
use embedded IP addresses (RPC, Oracle etc), unless a Proxy has been written
for them
----- Original Message -----
Sent: 23 March 2001 05:23
Subject: [FW1] Some packets do not get
NATted. Have you seen this before?
Hello friends,
I remember some time ago someone was discussing
a case in which some packets do not have NAT applied.
Anyone remembers other details?
Best wishes
Aylton
|