RE: [FW1] Some packets do not get NATted. Have you seen this befo re?

[Daniel Hitchcock <DHitchcock@FW1-NOSPAMbreakwatersecurity.com>]

A little more detail on this:

 

You CAN use NAT on encrypted packets using FWZ, SKIP, and IKE with AH only (no ESP; see below) since the packets are not encapsulated - the original header will be translated.  You can also use NAT on IKE packets using ESP for encapsulation, but the NAT will apply prior to the encryption/encapsulation.  This allows you to do things like create NAT rules to pass traffic over a VPN to sites with the same addressing on both ends.

 

Not sure if this answers Aylton's original question, but hopefully worth at least $0.02.

Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security Associates

dhitchcock@breakwatersecurity.com
http://www.breakwatersecurity.com

-----Original Message-----
From: Tim Holman [mailto:tim_holman@hotmail.com]
Sent: Friday, March 23, 2001 6:42 AM
To: Aylton Souza, CISSP; fw-1-mailinglist
Subject: Re: [FW1] Some packets do not get NATted. Have you seen this before?

Enrypted packets (FWZ, SKIP, IKE) cannot have NAT applied, as their TCP/IP headers are encrypted, however IPSEC only encrypts the data portion, leaving the headers free for NAT manipulation.

Also bear in mind that NAT won't work with protocols that use embedded IP addresses (RPC, Oracle etc), unless a Proxy has been written for them

----- Original Message -----

From: Aylton Souza, CISSP

To: fw-1-mailinglist

Sent: 23 March 2001 05:23

Subject: [FW1] Some packets do not get NATted. Have you seen this before?

Hello friends,

 

I remember some time ago someone was discussing a case in which some packets do not have NAT applied.

 

Anyone remembers other details?

 

Best wishes

 

Aylton