Firewall Wizards mailing list archives

Re: NAT

From: "Ryan Russell" <ryanr () sybase com>
Date: Wed, 17 Jun 1998 09:53:22 -0700



Your first paragraph clears it up, thanks.  If the IPSec happens
after NAT, it makes perfect sense.  When one wants to use
NAT with IPSec, then the device doing NAT would have to participate
in the IPSec connection.

That would imply that one couldn't get an IPSec connection
through a box that did NAT/proxy when that box didn't
participate in the connection.  I think that's going to be
a major problem for IPSec based VPN soultions.

                         Ryan





On Sidewinder, at least, the NAT activity is irrelevant to IPSEC behavior.
When leaving the internal (address translated) network, the addresses are
swapped before packets are handed to IPSEC for crypto processing. Encrypted
packets from the outside world are decrypted and then each packet's IP
address gets changed before being dropped on the internal LAN. The same
security association is used for all NATed traffic between a pair of IPSEC
gateways.

Current thread:

NAT Appel, John (Jun 11)
- <Possible follow-ups>
- RE: NAT Burden, James (Jun 12)
  - Re: NAT Tina Bird (Jun 13)
- Re: NAT Ryan Russell (Jun 15)
  - Re: NAT Rick Smith (Jun 17)
- RE: NAT Burden, James (Jun 16)
  - Re: NAT Tina Bird (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
  - Re: NAT Rick Smith (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
  - Re: NAT Rick Smith (Jun 17)
  - Re: NAT Paul Sangster (Jun 18)
- Re: NAT Ryan Russell (Jun 17)