[ previous ] [ next ] [ threads ]
 From:  "dasz" <daszylstra at comcast dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  NAT over IPSEC
 Date:  Thu, 1 Dec 2005 17:47:24 -0500
a similar question was posted in 2004 with no answer (that I can find)

I have a client with multiple IPSEC tunnels for their vendors to hit their
file servers (all on Monowalls), incoming traffic is routed over 2 other
IPSEC tunnels for access to 2 remote file servers (basically the company has
3 offices each with a file server, domain connected by IPSEC tunnels) all
current vendors are OK with routing over the tunnels to the private IPs (we
recently changed the company's IP scheme to please 2 of the major vendors).

They now have another vendor who cannot route (and will not) to a private
network - I've talked with him and he has too many clients with private IP
routing and won't do any more (he is forcing his clients to migrate to
public IPs) - and my client's network conflicts with another of his . . .

The request is to NAT the internal file servers to public IPs . . . . so the
vendor can route those addresses over IPSEC . . . . . he only needs access
to the 3 file servers . . . .

I need to leave the existing tunnels/addressing in place because the other
vendors still need access to the entire network, not just the file servers .
. . . so NAT would have to be specific to the one IPSEC tunnel.

(NOTE: IPs sanitized to protect the client)
Public IPs available at location 2=, .163, .164, .165, .166
(Location 2 is the IPSEC endpoint for this company, traffic for satellite
offices route over Monowall->Monowall IPSEC connections)
Vendor network =
File server 1 =
File server 2 =
File server 3 =

Any recommendations on whether this is possible with Monowall?

Can I assign an outbound NAT as follows:

To do this I have to enable "advanced outbound NAT" to put it on the LAN?
Do I then have to create Outbound NAT rules for Internet access?