It depends on the NAT implementation and the IPSEC mode you are using. Tunnel
mode ESP can be NATed.
The problem can also be solved by terminating the tunnel in the correct place
and applying the NAT outside the tunnel.
acs
E
On 30-Mar-00 David J. Cavuto wrote:
> All,
>
> My understanding is that static NAT (one-to-one mapping) will only work on
> ESP IPSEC, since the authentication in ESP covers the ESP header all the
> way into the ESP trailer.
>
> However, static NAT should NOT work on AH traffic, since the authentication
> INCLUDES the IP address. Changing the IP address will invalidate the
> authentication and cause the packet to be rejected.
>
> Or so I understand.
>
> -David Cavuto
>
>
> At 02:34 PM 3/29/00 -0600, [EMAIL PROTECTED] wrote:
>
>>Bob is absolutely right, static NAT will work and my error might well have
>>been assuming that Sebastian's original request implied a random internal
>>host. If it's a fixed host and you have an external address to can use
>>for static NAT then IPSec will work.
>>
>>
>>-- Bill Stackpole, CISSP
>
> -------------------------
> David J. Cavuto, Systems Engineer
> Lucent Security Products - http://www.lucent.com/security
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
_______________________
Aaron C. Springer
[EMAIL PROTECTED]
pgp key published
_______________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
