DNAT - TCP-IP

This is a discussion on DNAT - TCP-IP ; I have several lan segments and I'm using NAT in this way: all clients having 192.168.0.0/16 which go to specific IP Address 192.168.1.31, destination address must be translated into 192.168.4.122. This nat rules is applied into my firewall NETASQ and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: DNAT

  1. DNAT

    I have several lan segments and I'm using NAT in this way:

    all clients having 192.168.0.0/16 which go to specific IP Address
    192.168.1.31, destination address must be translated into
    192.168.4.122.
    This nat rules is applied into my firewall NETASQ and works fine for
    all subnet except for 192.168.4.0/24 !!! (note that 192.168.1.31 is a
    virtual address on NetAsq interface)


  2. Re: DNAT

    In article <1182844309.519506.78430@q69g2000hsb.googlegroups.c om>,
    RICCARDO wrote:

    > I have several lan segments and I'm using NAT in this way:
    >
    > all clients having 192.168.0.0/16 which go to specific IP Address
    > 192.168.1.31, destination address must be translated into
    > 192.168.4.122.
    > This nat rules is applied into my firewall NETASQ and works fine for
    > all subnet except for 192.168.4.0/24 !!! (note that 192.168.1.31 is a
    > virtual address on NetAsq interface)


    The problem is probably that the return traffic doesn't go through the
    NETASQ. It sees the connection coming from its own subnet, so it sends
    the replies directly to the sender. But the sender doesn't recognize
    this return traffic, because it's expecting the replies to come from
    192.168.1.31, not 192.168.4.122.

    You need the firewall to change the source address of the traffic to its
    own address, in addition to changing the destination address. Then the
    device will always reply to the firewall, which can do the reverse
    translation, rather than trying to reply directly to the sender.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

+ Reply to Thread