NAT

Tina Bird tbird@iegroup.com
Sat, 13 Jun 1998 00:33:29 -0500


This isn't true!  I'm aware of a large number of VPN installations,
both IPSec and proprietary, which work quite happily with NAT.  Even
PPTP is interoperable now with address translation, at least once
you've got your routes set up correctly.

F'r instance:  Sidewinder firewalls perform NAT "by default" - that
is, you can't have a live Sidewinder that >doesn't< have address
translation thanks to the two-or-more NICs, and the lack of IP
forwarding.  Sidewinder supports IPSec in both transport and tunnel
modes, allowing the VPN to terminate on either the external side of
the firewall (in which case the unencrypted, destination side of the
IPSec association is the "final" destination, as far as the VPN is
concerned) or on the internal side of the firewall (in which case
the firewall hands off the traffic to the destination machine on the
interior network).  In either case, the firewall is the
decryption server, and it's only ever the external
firewall IP address which is visible to the public network.  

I've worked with 3 or 4 other VPN products (Alta Vista, PPTP,
VTCP/Secure and Signal 9) with similar success in a NAT environment.

Tina Bird

Burden, James wrote:
> 
> John,
> 
> Besides RFC1918 you can read RFC1631 - The IP Network Address Translator
> (NAT). K. Egevang & P. Francis.
>      May 1994. (Format: TXT=22714 bytes) (Status: INFORMATIONAL).
> 
> I am not aware of a pro/cons white paper yet.  However, VPN (example:
> IPSEC) technologies are costly and kludgey working with NAT.  If IP
> headers are encrypted then a tunnel would have to begin and end any
> where NAT is used.
> 
> Jim
> 
> James Burden            Phone - 916.351.2243
> Security Engineer               Page - 916.814.2563
> California ISO                  Fax - 916.351.2181
> http://www.caiso.com    Email - jburden@caiso.com
> 41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
> ____________________________________________
>    To Teach is to Learn   - Aaron Nimzovich
> ____________________________________________
> 
> > -----Original Message-----
> > From: Appel, John [SMTP:AppelJ@1st-annapolis.com]
> > Sent: Wednesday, June 10, 1998 12:05 PM
> > To:   'firewall-wizards@nfr.net'
> > Subject:      NAT
> >
> > Is there a FAQ or similar document covering the pros/cons/caveats of
> > NAT?
> >
> > TIA,
> >
> > John