Re: nat problem

Thu, 19 Nov 2009 00:33:28 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Clark wrote:
| Hi Darren,
|
| I am running into a problem with ipnat on linux when using gre over ipsec. I have gre tunnels | which use non routable address endpoints which are tunneled over ipsec to run ospf. 
|
| my normal ipnat config looks like this on FreeBSD which works but doesn't on linux: | map eth1 from 10.254.1.0/24 to any port=21 -> 10.0.133.102/32 proxy port 21 ftp/tcp | map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32 portmap tcp/udp 40000:60000 
| map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
|
| The problem is in linux the esp encapulation happens last so anything going across the gre's is being natted. 
|
| What I need is to be able to specify instead of "any" only routable address ranges. Maybe something like: | map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 -> 10.0.133.102/32 
|
| Or am I missing something and there is already a way to do this?
|
| BTW if i remove the map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
| then my gre's work but I can't ping the internet cause the icmp is not mapped. 

Using 4.1, the way to do this would be:

map eth1 from 10.254.1.0/24 to 0.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 1.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 2.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 3.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 4.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 5.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 6.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 7.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 8.0.0.0/8 -> 10.0.133.102/32
map eth1 from 10.254.1.0/24 to 9.0.0.0/8 -> 10.0.133.102/32

With 5.x and beyond, you would do:

map eth1 from 10.254.1.0/24 to pool/100 -> 10.0.133.102/32

.. and to put the above networks in pool 100.

.. or am I missing something here?

Darren
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksFAhUACgkQP7JIXtvLbFVbvACgqIaCeRTK03YZcqD2eAGQVLY2
NHIAn0+r4uHiyvwE9/pTVgdt8PbRMnCz
=ZNrf
-----END PGP SIGNATURE-----























					Reply via email to