On Tue, Feb 06, 2007 at 01:07:33PM +0100, Mitja wrote:
> Hello,
>
> I have problems configuring NAT. I've built a VPN from router2 to
> default route. I have access to internet from router2. Now I am stuck
> with NAT. How should I do NATting? What interface to use?
>
> # NETWORK SETUP:
>
> 192.168.1.0/24
> |
> |
> |
> router 2-[172.16.16.6] --VPN-- [172.16.15.6]- router 1--Internet
> | | |
> | --- VPN: public IP range -> default ---
> |
> 193.x.x.x/27
>
>
> # netstat -rnf encap
> Routing tables
>
> Encap:
> Source Port Destination Port Proto
> SA(Address/Proto/Type/Direction)
> 172.16.15.6/32 0 172.16.16.6/32 0 0
> 172.16.15.6/esp/use/in
> 172.16.16.6/32 0 172.16.15.6/32 0 0
> 172.16.15.6/esp/require/out
> default 0 193.x.x.x/27 0 0 172.16.15.6/esp/use/in
> 193.x.x.x/27 0 default 0 0
> 172.16.15.6/esp/require/out
I don't really understand. Given that 193.x.x.x/27 is
internet-addressable space, is it *really* your intention to use that?
If so, review your assumptions. If not, and you intended to use some
private space like 192.168.2.0/24 for the second subnet, and am I
correct in assuming that your internet access from router2 is via the
VPN tunnel to router1? And, perhaps as importantly, that leaving router1
to do this stuff is not viable?
Provided that the assumptions are correct, I assume that 'nat on enc0
from { $int_if1:network $int_if2:network } -> $ext_if:0' would work, but
you'll have to forgive me for not testing it - it's a bit of a mess
here, and I don't want to set up the laptop right now.
Joachim
