[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nat.conf to NAT or not to NAT.

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: nat.conf to NAT or not to NAT.
From: "Peter Strömberg" <peters_(_at_)_telia_(_dot_)_net>
Date: Fri, 26 Oct 2001 16:29:05 +0200
Organization: Telia Carrier & Networks

On 26 Oct 2001 at 14:55, Jan Johansson wrote:

> I will try to clarify what I mean.
> 
> We have three subnetted B nets 128.10.{202|206|209}.0, we also
> have a protected playpen for our students located at 192.168.0.0.
> 
> For AFS, SMB and Kerberos to work without major problems I want
> the 192.168.0.0 network talking to our file server at
> 128.10.202.? without NAT.
> 
> This give.
> 
> Internet <-> Cisco <-> Routable ips <-> Gateway <-> black nets
> 
> Cisco router has 128.10.{202|206|209}.1 inside.
> Gateway has 128.10.206.4 outside.
> Gateway has 192.168.0.1 inside.
> 
> Or specified in a possible nat.conf ruleset.
> 
> nat on ext1 from any to 128.10.202.0/24
> nat on ext1 from any to 128.10.206.0/24
> nat on ext1 from any to 128.10.209.0/24
> nat on ext1 from any to any -> 128.10.206.4

You can do

nat on ext1 from 192.168.0.0/16 to ! 128.10.202.0/24 -> 128.10.206.4

This will prevent nat to the file server(s) but you will still get nat 
to
128.20.{206,209}.0

If that is unacceptable then this should be the shortest ruleset which 
should
do what you want

nat on ext1 from 192.168.0.0/16 to ! 128.10.192.0/19 -> 128.10.206.4 # 
192-223
nat on ext1 from 192.168.0.0/16 to 128.10.192.0/21   -> 128.10.206.4 # 
192-199
nat on ext1 from 192.168.0.0/16 to 128.10.200.0/24   -> 128.10.206.4 # 
200
nat on ext1 from 192.168.0.0/16 to 128.10.201.0/24   -> 128.10.206.4 # 
201
nat on ext1 from 192.168.0.0/16 to 128.10.203.0/24   -> 128.10.206.4 # 
203
nat on ext1 from 192.168.0.0/16 to 128.10.204.0/24   -> 128.10.206.4 # 
204
nat on ext1 from 192.168.0.0/16 to 128.10.205.0/24   -> 128.10.206.4 # 
205
nat on ext1 from 192.168.0.0/16 to 128.10.207.0/24   -> 128.10.206.4 # 
207
nat on ext1 from 192.168.0.0/16 to 128.10.208.0/24   -> 128.10.206.4 # 
208
nat on ext1 from 192.168.0.0/16 to 128.10.210.0/23   -> 128.10.206.4 # 
210-211
nat on ext1 from 192.168.0.0/16 to 128.10.212.0/22   -> 128.10.206.4 # 
212-215
nat on ext1 from 192.168.0.0/16 to 128.10.216.0/22   -> 128.10.206.4 # 
216-219
nat on ext1 from 192.168.0.0/16 to 128.10.220.0/22   -> 128.10.206.4 # 
220-223

It would be simpler if you could do nat at the cisco instead.

/Peter

References:
- Re: nat.conf to NAT or not to NAT.
  - From: Peter Strömberg

Prev by Date: Re: Old hardware
Next by Date: KDE 2.1.1
Previous by thread: Re: nat.conf to NAT or not to NAT.
Next by thread: dmz questions
Index(es):
- Date
- Thread

Visit your host, monkey.org