Re: [nsp] IPSEC tunneling and static NAT?

From: Gert Doering (gert@greenie.muc.de)
Date: Tue Jul 10 2001 - 09:37:30 EDT

Next message: Alister Yap: "RE: [nsp] IPSEC tunneling and static NAT?"
Previous message: Gert Doering: "Re: [nsp] High CPU with NAT - some output"
In reply to: Alister Yap: "RE: [nsp] IPSEC tunneling and static NAT?"
Next in thread: Alister Yap: "[nsp] IOS recommendation for IPSec & SSH"
Reply: Alister Yap: "[nsp] IOS recommendation for IPSec & SSH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Hi,

On Tue, Jul 10, 2001 at 02:24:04PM +0100, Alister Yap wrote:
> I assume you are running in tunnel mode and using ESP. I also assume your
> IPSec peers are between the WAN links.

Yes, this is correct. Sorry for not explicitely stating it.

> From your logs, no encryption is done
> because the IP header has changed to 19.30.101.17 & 195.30.101.18 as a
> result of NAT.

Yes.

> You would need to have crypto ACLs for these 2 addresses.

This is what I did not, but it doesn't really solve the problem - if a
peer sends out a "ping" to 192.168.0.10, the response packet is NATted,
and comes back from 195.30.101.17 (and thus is not recognized). Same
for all other traffic originating from the outside and directed to
192.168.0.10.

So I have to use the "external" IPs for "tunneled" connections,
which means "every time I add a static NAT entry, I have to change
from using internal IPs for that host to using the external IP". Quite
a catch in a dynamically evolving network...

The PIX NAT implementation does not do this (because the "no nat"
access list works for all NAT, not only on dynamic NAT).

> Also, you might want to try NAPT for your 2 servers (192.168.0.10 &
> 192.168.0.11), which would mean that you will now need 1 tunnel, which makes
> things less ugly.

Which doesn't really help things in this case - I want "notes" access
via IPSEC/Tunnel mode, and also via NAT, so it's the same port in both
cases...

> Just my 2 cents (or 2p here in UK)

Thanks :-)

The long-term solution that I envision right now is to drop NAT completely
for the machines in question and put them into an "not natted at all"
IP range on the same LAN (which works). As they are natted 1:1 anyway,
this is no worse from a security stand point, and better from the
manageability standpoint in the face of IPSEC.

The "I wish I could have this" thing is still a way to override static NAT
translations for certain destination IPs.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de

Next message: Alister Yap: "RE: [nsp] IPSEC tunneling and static NAT?"
Previous message: Gert Doering: "Re: [nsp] High CPU with NAT - some output"
In reply to: Alister Yap: "RE: [nsp] IPSEC tunneling and static NAT?"
Next in thread: Alister Yap: "[nsp] IOS recommendation for IPSec & SSH"
Reply: Alister Yap: "[nsp] IOS recommendation for IPSec & SSH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:44 EDT