<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: NAT... misunderstanding
From: Daniel Gibbs <d.gibbs,AT,online-bills,DOT,com>
Date: Wed, 2 Oct 2002 12:23:30 +0200
Title: RE: NAT... misunderstanding


Yes, 
NATing only lets related packets through (ie requested webpages), but will 
deny 
new incoming connections unless you forward the packets.
<FONT face=Arial color=#0000ff 
size=2>?
The 
problem with the router is that it doent know how to handle the GRE packets 
while doing NATing
<SPAN 
class=333540810-02102002><FONT 
size=2>This is the same problem with my router, 
when in bridging mode it will?allow any packets (inc GRE) though but when 
it's in NAT mode it doesnt allow GRP/IKE packets 
through.
<SPAN 
class=333540810-02102002>?
<SPAN 
class=333540810-02102002>Cipe does use Encluplated-UDP for it's data, which 
means all routers will beable to handle 
it.
<SPAN 
class=333540810-02102002>but you will need to forward (afiak) the incoming 
packets to the pc.
<SPAN 
class=333540810-02102002>?
<SPAN 
class=333540810-02102002>One solution if you cant get the packets forwared is 
to 
use a SSH Tunnel which will encript the data it's self for one porgram or 
possbly run cipe over this (havnt tryed this yet but should 
work).
<SPAN 
class=333540810-02102002>?
<SPAN 
class=333540810-02102002>dan
<SPAN 
class=333540810-02102002>?
<FONT face=Arial 
color=#0000ff>?-----Original Message-----From: 
Kirill S. Tarashev [mailto:rikoil,AT,iss,DOT,ru: 02 October 2002 10:52 
AMTo: Daniel GibbsSubject: RE: NAT... 
misunderstanding

  stop 
  stop..
  As I 
  understand, I have to forward incoming (to NAt router) packet ONLY when 
server 
  (or somebody else) initiates connection to my computer.
  When 
  I don't need it, it's nothink to change in Nat router. 
  correct??
  <FONT face=Arial color=#0000ff 
  size=2>?
  <FONT face=Arial color=#0000ff 
  size=2>Because the problem is that Nat Router is?ISP's router, and they 
  will not chang anything there to make forwarding. :((
  That 
  was the problem, why I can't use PPTP, because NAt cann't creat GRE tunnel 
VPN 
  connection.
  But 
  as I understand CIPE use ordinary UDP and also can work from computer 
behind 
  the NAT router without any changes on that router.
  <FONT face=Arial color=#0000ff 
  size=2>?
  Is 
  it true or I've done some mistakes in my argumentation?
  <FONT face=Arial color=#0000ff 
  size=2>?
  <FONT face=Arial color=#0000ff 
  size=2>Kirill
  <FONT face=Arial color=#0000ff 
  size=2>?
  <FONT face=Arial color=#0000ff 
  size=2>?
  <FONT face=Arial color=#0000ff 
  size=2>?
  <FONT face=Arial color=#0000ff 
  size=2>?
  
    <FONT face=Tahoma 
    size=2>-----Original Message-----From: Daniel Gibbs 
    [mailto:d.gibbs,AT,online-bills,DOT,com: Wednesday, October 02, 
    2002 12:53 PMTo: 'Kirill S. Tarashev'; Cipe-L 
    (E-mail)Subject: RE: NAT... misunderstanding
    <SPAN 
    class=403345408-02102002>OK..
    <SPAN 
    class=403345408-02102002>?
    <SPAN 
    class=403345408-02102002>NAT works? (basicly) this 
    way.
    <SPAN 
    class=403345408-02102002>?
    <SPAN 
    class=403345408-02102002>Incoming requests are rejected unless the 
incoming 
    stream is related or there is a map(forwarding) from either the 
origination 
    ip and/or port. 
    <SPAN 
    class=403345408-02102002>However there can be problems:
    eg 
    FTP - the NAT router needs to know how to handle this.
    <SPAN 
    class=403345408-02102002>?
    <SPAN 
    class=403345408-02102002>What I have on my set up is
    <SPAN 
    class=403345408-02102002>?
    <SPAN 
    class=403345408-02102002>Win2k/cipe -> Nat Router --Inet -- Linux 
    firewall/cipe
    <SPAN 
    class=403345408-02102002>?
    On 
    my nat router I have the required ports forwarded to the win2k box for 
    cipe.
    <SPAN 
    class=403345408-02102002>?
    I 
    had fun when trying t o set up cipe on the linix box because it uses 3 
(or 
    4) real ip's.
    I 
    wanted to use one of the lesser used ones but forgot about the natting 
rules 
    which put the box on a diffrent ip than the one I was trying to 
    use.
    <SPAN 
    class=403345408-02102002>?
    <SPAN 
    class=403345408-02102002>Anyways, you may need to forward ports from your 
    nat box to your client box (as I have had to do).
    <SPAN 
    class=403345408-02102002>?
    <SPAN 
    class=403345408-02102002>?
    <SPAN 
    class=403345408-02102002>dan
    <SPAN 
    class=403345408-02102002>?
    
      <FONT face=Tahoma 
      size=2>-----Original Message-----From: Kirill S. Tarashev 
      [mailto:rikoil,AT,iss,DOT,ru: 02 October 2002 09:50 
      AMTo: Daniel GibbsSubject: RE: NAT... 
      misunderstanding
      <FONT face=Arial color=#0000ff 
      size=2>As I understand you, I can use CIPE client behind NAT for out 
going 
      access but not for incoming.
      <FONT face=Arial color=#0000ff 
      size=2>or 
      <FONT face=Arial color=#0000ff 
      size=2>If I'm a client behind NAT, I can initiate connection to 
      server?and it will work, but server cann't initiate connection to me 
      itself.
      <FONT face=Arial color=#0000ff 
      size=2>Is it correct?
      <FONT face=Arial color=#0000ff 
      size=2>?
      <FONT face=Arial color=#0000ff 
      size=2>Kirill?
      
        <FONT face=Tahoma 
        size=2>-----Original Message-----From: Daniel Gibbs 
        [mailto:d.gibbs,AT,online-bills,DOT,com: Wednesday, October 02, 
        2002 12:25 PMTo: 'Kirill S. Tarashev'Subject: RE: 
        NAT... misunderstanding
        Hi, it can work aslong as the NAT firewall knows what to 
        do with incoming packets. I'm using cipe on w2k 
        behind a Nat router, ok it doent work 100% but that's probbly my 
        config. 
        dan 
        -----Original Message----- From: 
        Kirill S. Tarashev [<A 
        href="mailto:rikoil,AT,iss,DOT,ru";>mailto:rikoil,AT,iss,DOT,ru <FONT 
        size=2>Sent: 02 October 2002 06:55 AM To: 
        cipe-l,AT,inka,DOT,de Subject: NAT... 
        misunderstanding 
        Sorry for stupid question, but probably I don't 
        understand some important things.. 
        in the main page of <A 
        href="http://sites.inka.de/sites/bigred/devel/cipe.html"; 
        target=_blank>http://sites.inka.de/sites/bigred/devel/cipe.html I 
        can fine text <FONT 
        size=2>"......Special care has been taken to make this work over 
dynamic 
        addresses, NAT and SOCKS proxies" 
        but in the documentation - cipe-1.5.1.texinfo 
        something like that "Here is in 
        detail how it is possible to build CIPE links between <FONT 
        size=2>different classes of carriers. Those classes are, based on how 
        they are able to reach the Internet: 
        ............. 4. Indirect 
        connection through a NAT (masquerading) router.(NAT, <FONT 
        size=2>masquerading) 
        This produces ten different combinations: 
        ............. 4-4 Not possible. 
        Neither side gets to know its effective carrier address at 
        all 
        question: Whether or not it can work with client behind 
        NAT firewall??? (Server with CIPE has Internet 
        IP, client works through the NAT firewall) 
        Because, I didn't find any link in documentation to this 
        subject.... 
        Thank you 
        -- Message sent by the 
        cipe-l,AT,inka,DOT,de mailing list. Unsubscribe: mail 
        majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body <FONT 
        size=2>Other commands available with "help" in body to the same 
        address. CIPE info and list archive: <URL:<A 
        href="http://sites.inka.de/~bigred/devel/cipe.html"; 
        target=_blank>http://sites.inka.de/~bigred/devel/cipe.html> 
        



<< | Thread Index | >> ]    [ << | Date Index | >> ]