RE: quietly....

[Matthew Huff <mhuff () ox com>]

Trust me, I'm very familiar with FTP and firewalls. The problem is not just with NAT, but exists with SPI. Both are 
solved problems that work with NAT. Something like ftp over SSH works well without fixup or NAT issues and is becoming 
more standard at least in the financial services community.

IPSEC to a NAT/SPI firewall works fine, through it has issues. But then again, rarely do you want that in a corporate 
network anyway.

> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
> Sent: Thursday, February 03, 2011 2:29 PM
> To: Matthew Huff
> Cc: Owen DeLong; nanog () nanog org
> Subject: Re: quietly....
>
> On Thu, 03 Feb 2011 13:41:26 EST, Matthew Huff said:
> > Owen, can you point to a application protocol that is broken via NAT that
> > isn't a p2p protocol or VoIP?
>
> The only reason FTP works through a NAT is because the NAT has already
> been hacked up to further mangle the data stream to make up for the
> mangling it does.
>
> I'm told that IPSEC through a NAT can be interesting too...  And that's
> something I'm also told some corporations are interested in.