[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT and IPSEC and Packet Filters
You might want to take a look at RFC 2709.
cheers,
suresh
--- Vinod Porwal <vinod.porwal@ishoni.com> wrote:
> Hi Nathalie,
>
> What you mean to say is that on the same box I would have to NAT first and
> then IPSec on the outgoing direction. The IPSec rules also will refer to
> the Private addresses. That means NAT should not translate (port or address
> translation) any Traffic that may get tunneled at the IPSec Module ?
> Probably that could also be just controlled by appropriate policies at the
> NAT module. Am I right ?
>
> Regards,
>
> Vinod Porwal.
>
> -----Original Message-----
> From: Nathalie Rivat [mailto:nrivat@nortelnetworks.com]
> Sent: Thursday, February 01, 2001 2:57 PM
> To: Vinod Kumar A Porwal; ipsec
> Subject: RE: NAT and IPSEC and Packet Filters
>
> Vinod,
>
> There is no particular issues about NATing clear IP packets that are
> forwarded by the IPsec gateway between the Intranet and the Internet. It is
> just a local policy implementation specifying that you NAT those packets.
>
> Just to add another reference that supports this feature : the Contivity VPN
> switch (Nortel).
>
> Regards,
> Nathalie
>
> -----Original Message-----
> From: Vinod Porwal [ mailto:vinod.porwal@ishoni.com]
> Sent: Thursday, February 01, 2001 8:21 AM
> To: ipsec
> Subject: NAT and IPSEC and Packet Filters
>
>
> Hi,
>
> I've scanned through few drafts , articles which talk about NAT and IPSEC.
> Most of them talk about having IPSEC traffic going through NAT devices.
>
> I'am interested only in implementing a Security Gateway (SG) which protects
> the Private network from the internet (Packet Filters) , does NAT allowing
> the private network to reach the internet & is able to establish VPN
> tunnels to other SG. Here there is no need for having traffic being NAT'ed
> and IPSec'd at the same time. Could some one guide me to few issues that I
> may have to consider in getting this kind of solution. The interaction
> between NAT and IPSEC implementaiton that may be required etc..
>
> From what I see most of the commercial boxes like SonicWall, CheckPoint
> right now support the above mentioned configuration. Am I right ?
>
> Regards,
>
> Vinod Porwal.
>
>
>
>
>
>
>
=====
__________________________________________________
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
References: