On Tue, Jun 17, 2003 at 11:51:57AM -0500, J. Buck Caldwell wrote:
> I've got the routing down, and I'm working on the firewall rules. I'm 
> not sure about the NAT rules, though. Here's my question:
> 
> Say I've got a branch 192.168.3.0, with a sister branch 192.168.13.0. 
> The 3.0 has a broadband connection. The 13.0 does not. There is a cisco 
> router at 13.1 and 3.2, with an ip unnumbered connection between them 
> over the T1. The 3.0 has a VPN IPSec tunnel to 0.0/24. How should my NAT 
> rules look to provide NAT services for both the 13.0 and 3.0 network? 
> Something like this, I'm assuming:
> 
> map ex0 192.168.3.0/24 -> 0/32 proxy port ftp ftp/tcp
> map ex0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
> map ex0 192.168.3.0/24 -> 0/32
> map ex0 192.168.13.0/24 -> 0/32 proxy port ftp ftp/tcp
> map ex0 192.168.13.0/24 -> 0/32 portmap tcp/udp auto
> map ex0 192.168.13.0/24 -> 0/32

That looks fine. Although, from your description, I don't see any reason
why you couldn't just leave your 192.168.0.0/16 ruleset instead. It's a
bit loose and sloppy to do so, but nothing should prevent it from
working.

(I read your description as a network with multiple islands, each island
has a broadband node, and one or more VPN'd dialup networks behind it.
Each island will have the class C for the main broadband site + one or
more C's for each dialup network.)

> Now the other possibility - to confuse things further - we're getting 
> five static IPs at each broadband connection, I could have each /24 go 
> out on a different address - can NAT use an aliased address? Can I 
> configure ex0 with two 'public' IPs, then change the NAT rules to point 
> the 3.0 network to one, and the 13.0 network at the alias address?

Yes, just replace 0/32 with the A.B.C.D/32 you want in each case, using
the seperate mappings you wrote above.

							David