Hi Chad, Responses in-line:
Chad S. Parsons wrote: > Thanks Robyn. > > So this rule would take the place of my current default NAT rule, or > just come before it in order of precedence? > > This rule would need to take the place of your current default NAT rule. The NAT rules don't really work in a "first match and out" fashion so your packet will keep traversing the chain and will wind up hitting the NAT "all" rule. > If I'm going to have 5 sites connected together, I'd imagine that I'd > need a rule for each site, correct? Would I just make them NAT rules 10 > - 15 or something equivalent? > > It would be best if your 5 sites were part of a contiguous network so you could create just one NAT rule that would include them all. If not, take a look at this bug: https://bugzilla.vyatta.com/show_bug.cgi?id=2067 You can implement a workaround in iptables. Example: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 192.168.50.0/24 -j ----This rule and the rule below will exit from the NAT table and will not get NAT'ted RETURN iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 192.168.1.0/24 -j RETURN iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE Or, if you haven't already, give Glendale Alpha 1 a try. Glendale includes an "exclude" option in the CLI where you can exclude certain packet combinations (such as those destined for your VPN tunnels) from being NAT'ted. There's more info on this in the bug. Let me know if you have any more questions. Thanks! Robyn > > -----Original Message----- > From: Robyn Orosz [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 20, 2008 10:02 AM > To: Chad S. Parsons > Cc: vyatta-users@mailman.vyatta.com > Subject: Re: [Vyatta-users] VPN Routing or NAT Problem > > Hi Chad, > > You need to exclude the VPN packets from being NAT'ted by changing your > source NAT rule a bit. Here's an example: > > rule 5 { > type: "source" > source { > network: "10.10.10.0/24" <---your internal/ VPN subnet that you are > sourcing packets from on this router > } > destination { > network: "!10.0.0.0/8" <----Note the '!' - this is NAT'ting all traffic > but those packets destined for 10.0.0.0/8. This should be the > destination network for your remote VPN sites > } > outside-address { > address: 192.168.1.1 <----This would represent your outside/ public > address > } > } > > Thank you, > > Robyn > > Chad S. Parsons wrote: > >> I'm trying to build IPSEC tunnels between three of our offices and I >> think I have one last hurdle to clear. >> >> The tunnels are built and are establishing, but I cannot get traffic >> to move between the internal LANs. >> >> The routers are set up with a Source NAT rule changing the internal >> addresses to a single public IP. This is the only NAT rule. >> >> Do I need to put one in place to keep the VPN traffic from being >> NAT'ed? Or do I need to put a Static Route in to move the traffic >> through the appropriate tunnel? >> >> If I can supply any more information, please let me know. >> >> Thanks, >> >> Chad >> >> ___________________________________ >> Chad S. Parsons >> Senior Network/Business Systems Administrator >> Cymetrix >> 4510 East Pacific Coast Highway, Suite 600 >> Long Beach, CA 90804 >> Direct: 562.366.5343 >> >> Mobile: 805.490.4703 >> Help Desk: 866.333.6617 >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> www.cymetrix.com <http://www.cymetrix.com/> >> >> This email is intended solely for the person or entity to which it is >> addressed and may contain confidential and/or privileged information. >> Any review, dissemination, copying, printing or other use of this >> email by persons or entities other than the addressee is strictly >> prohibited. If you receive this email in error, please contact the >> sender immediately and delete the material from any computer. >> >> >> > ------------------------------------------------------------------------ > >> _______________________________________________ >> Vyatta-users mailing list >> Vyatta-users@mailman.vyatta.com >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> >> _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
