[ previous ] [ next ] [ threads ]
 From:  Ben Lutgens <blutgens at us dash admins dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DNAT rules breaks IPSec tunneled traffic to same services on diff hosts.
 Date:  Wed, 22 Oct 2003 16:20:41 -0500
On Tuesday, Oct 21, 2003, at 11:11 US/Central, Ben Lutgens wrote:

> When you have Destination NAT rules setup, it seems you can no longer
> access services that you have NAT'd on _OTHER_ hosts when comming in 
> via
> IPSec. Wierd eh.

Are all my questions stupid? Is there some reason my posts get 0 
response? Am I missing something?

> So my network is and on the other side of a tunnel is
> On the remote gateway (m0n0 of course) i have some NAT
> rules which puch services through to These include ssh,
> http, https etc etc. When I try to ssh through the IPSec tunnel to say
>, i see some packet logs on my end which shows me that the
> remote mono box is trying to NAT those packets to For some
> reason it fails (which is odd since I can ssh to the external ip of the
> mono box and I'm good. My packet filter rules are all correct, and if I
> _remove_ those DNAT rules and try then to ssh to any host on the other
> side of the tunnel it works fine.
> This also affect being able to access the web interface via the IPSec
> tunnel. Obviously people want to be able to run webservers behind thier
> m0n0 gateway, and may need to access the web interface (since there's 
> no
> SSH to m0n0) to make config changes.
> here are some packet logs when trying to access the remote m0n0 boxes'
> web interface via the IPSec tunnel.
> my IP ==
> the remote mono internal ip ==
> https is setup as a Inbound NAT rule on the remote mono box to go to
> and these logs are from the LOCAL m0n0 box (
> Oct 21 11:09:33 m0n0wall ipmon[71]: 11:09:33.183888 sis0 @0:11 B
>,443 ->,33638 PR tcp len 20 40 -AR IN
> Oct 21 11:09:36 m0n0wall ipmon[71]: 11:09:36.182348 sis0 @0:11 B
>,443 ->,33638 PR tcp len 20 40 -AR IN
> Oct 21 11:09:42 m0n0wall ipmon[71]: 11:09:42.182511 sis0 @0:11 B
>,443 ->,33638 PR tcp len 20 40 -AR IN
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Ben Lutgens       http://us-admins.com/~blutgens/
US Admins, Inc
System Administrator / Server Gumby