John - While I haven't set up a smart card system, there is a general guideline for handling encryption and NAT. Basicly, you need NAT to occur before the packet is encrypted, or not at all*. For your setup, you can put the LDAP server on the inside of your network, so that the traffic does not need to be NATed. Or, you can set up your firewall to do both the encryption and the NAT (most firewalls will do the NAT on the packet first, then encrypt, so that the hash values work out). Another option is to have the firewall tunnel these packets over the wire to another firewall that will return the packets to their original IP state before forwarding onto the LDAP server. hth Valerie (* you can also not use MD5 authentication, in which case the fact that the IP header has changed won't matter. Also, some crypto tools have a special authentication that doesn't take the IP header into account in the hash.) > Delivered-To: [EMAIL PROTECTED] > From: John G Taylor <[EMAIL PROTECTED]> > > Has anyone set up a smart card system or similar on their site? If so, can > someone please offer some suggestions as how they over came the following > problem. > > > IPSEC packets sent are NATed by the firewall and of course, as a result the > hash value is changed due to the header of the incoming packet having to > change for the addressing to the LDAP server. Now the main question is, how > did anyone overcome this? Where did they put the LDAP server? DMZ, > Internal, External? My thoughts aret hat you would put the LDAP server in > the DMZ and direct address it from the source. > > Any thoughts would be good. > > John Taylor > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
