> On Mon, Aug 29, 2005 at 03:24:13PM +0200, Quentin Garnier wrote:
>> On Mon, Aug 29, 2005 at 02:21:37PM +0100, Patrick Welche wrote:
>> > >From ipnat -l, I have
>> > 
>> > map ex1 192.168.0.0/24 -> x.y.z.1/32 proxy port ftp ftp/tcp
>> > map ex1 192.168.0.0/24 -> x.y.z.1/32 portmap tcp/udp 10000:65000
>> > map ex1 192.168.0.0/24 -> x.y.z.1/32
>> > bimap ex1 192.168.0.180/32 -> x.y.z.180/32 proxy port ftp ftp/tcp
>> > 
>> > yet, when I ssh out from 192.168.200.180, finger prlw1 tells me I am
>> > connecting from x.y.z.1 rather than x.y.z.180.
>> > 
>> > According to the rules /32 should take precedence over /24, so what is
>> > wrong?
>> 
>> Nothing.  ipnat works in a "first-match" way, contrary to ipf.
> 
> That's what I thought, but I had the bimap in first position and saw that
> finger claimed I was coming from the mapped rather than the bimapped
> address, so I found some documentation:
> 
> http://www.phildev.net/ipf/IPFprob.html#prob16
> 
>   16. I'm having problems with ipnat (e.g. can't get proxies to work
>       with bimap, or some other problem).
> 
>     When troubleshooting problems with ipnat remember that rules are
>     process by network size. So a /32 rule will always be applied
>     before a /24 rule, etc. Therefore a ruleset like:
> ...
> 
> which then leads to the above question...

"Bimap" rule applies for IP-to-IP translations and not for particular protocol/port, although
ipnat config file syntax permits.
In other words, It seems that your "bimap" rule never matches a flow due to "proxy" option.

Try something like:

map ex1 192.168.0.0/24 -> x.y.z.1/32 proxy port ftp ftp/tcp
map ex1 192.168.0.0/24 -> x.y.z.1/32 portmap tcp/udp 10000:65000
map ex1 192.168.0.0/24 -> x.y.z.1/32
bimap ex1 192.168.0.180/32 -> x.y.z.180/32


Chris.

____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.