Thanks Robyn. So this rule would take the place of my current default NAT rule, or just come before it in order of precedence?
If I'm going to have 5 sites connected together, I'd imagine that I'd need a rule for each site, correct? Would I just make them NAT rules 10 - 15 or something equivalent? -----Original Message----- From: Robyn Orosz [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 10:02 AM To: Chad S. Parsons Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] VPN Routing or NAT Problem Hi Chad, You need to exclude the VPN packets from being NAT'ted by changing your source NAT rule a bit. Here's an example: rule 5 { type: "source" source { network: "10.10.10.0/24" <---your internal/ VPN subnet that you are sourcing packets from on this router } destination { network: "!10.0.0.0/8" <----Note the '!' - this is NAT'ting all traffic but those packets destined for 10.0.0.0/8. This should be the destination network for your remote VPN sites } outside-address { address: 192.168.1.1 <----This would represent your outside/ public address } } Thank you, Robyn Chad S. Parsons wrote: > > I'm trying to build IPSEC tunnels between three of our offices and I > think I have one last hurdle to clear. > > The tunnels are built and are establishing, but I cannot get traffic > to move between the internal LANs. > > The routers are set up with a Source NAT rule changing the internal > addresses to a single public IP. This is the only NAT rule. > > Do I need to put one in place to keep the VPN traffic from being > NAT'ed? Or do I need to put a Static Route in to move the traffic > through the appropriate tunnel? > > If I can supply any more information, please let me know. > > Thanks, > > Chad > > ___________________________________ > Chad S. Parsons > Senior Network/Business Systems Administrator > Cymetrix > 4510 East Pacific Coast Highway, Suite 600 > Long Beach, CA 90804 > Direct: 562.366.5343 > > Mobile: 805.490.4703 > Help Desk: 866.333.6617 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > www.cymetrix.com <http://www.cymetrix.com/> > > This email is intended solely for the person or entity to which it is > addressed and may contain confidential and/or privileged information. > Any review, dissemination, copying, printing or other use of this > email by persons or entities other than the addressee is strictly > prohibited. If you receive this email in error, please contact the > sender immediately and delete the material from any computer. > > ------------------------------------------------------------------------ > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
