Hello majordomo, We have an office LAN in two separate buildings (two rooms).
These LANs are connected to a common "magistral" line by two firewall/routers with IPF 4.1.19+PFIL 2.1.12 on Solaris 8 x86. This "magistral" line also links these firewalls (and some nearby partner offices' firewalls) to the Internet. There are several IP address ranges in each room, including private IPs which are NATed on the firewalls. We want to use the hosts' own local IP addresses (even if these are the private IPs) when communicating between rooms, so that NAT only takes place if the hosts communicate to Internet. From the FAQ and the documentation I believe this falls under the "Policy NAT" rules, but this is scarcely documented, thus I am uncertain which syntax to use (if defining several Policy NAT exceptions is supported at all). For example, what we *mean* to achieve is that if destination IP is NOT in either range 194.12.34.64/26 nor 192.168.128.0/24 (not a connection from one room's private subnet to the other room's subnets), then do NAT. Otherwise pass the source/dest addresses as-is. The only syntax we found to pass the syntax check is: map elxl1 from 192.168.129.0/24 ! to 194.12.34.64/26 -> 194.12.33.113/32 map elxl1 from 192.168.129.0/24 ! to 192.168.128.0/24 -> 194.12.33.113/32 However this only works for one of the rules (the first one, I believe), so packets for the second subnet mentioned become translated by NAT. Recent IPFs also allow to define ippool names to group addresses. This only seems to work for ipf filtering, and the following line in ipnat.conf breaks the syntax check: map elxl1 from 192.168.129.144/28 ! to pool/real217 -> 194.67.183.113/32 To sum it up, the question stands: can we not-NAT several subnets and if yes - what is the proper syntax? -- Best regards, COS&HT Admin mailto:[EMAIL PROTECTED]
