LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Static NAT / DMZ / VPN question (http://www.linuxquestions.org/questions/linux-networking-3/static-nat-dmz-vpn-question-245574/)

Funky D 10-21-2004 12:53 PM

Static NAT / DMZ / VPN question
 
Hi all,

This is probably a pretty basic question, but after struggling for the past few days I think it's time to break down and ask for some help!

We have a Mandrake MNF server with 3 nics protecting our network, with a Sendmail server in the DMZ. Recently, I've been trying to set up the MNF system as a VPN server, but I don't believe our current configurations support it. A breakdown of the firewall system:

eth0 - 172.20.0.100 (LAN)
eth1 - 123.45.6.789 (WAN)
eth2 - 172.20.1.100 (DMZ)

There is one Sendmail server in the DMZ, 172.20.1.3. There is a static NAT connecting that server to the WAN. I believe this is what is causing the problem for the VPN (FreeSwan)... It sees eth1 and eth2 sharing the WAN IP, and will not start because of that.

My biggest confusion is the purpose of static NAT and whether it is necessary. From what I understand, the static NAT tricks external machines into thinking the sendmail server is connected directly to the net via the WAN's IP address.

Is it possible to remove the static NAT and only use port forwarding? Do we need a second external IP address dedicated to the VPN? I'd like to know if this can even work with our current setup and the basic steps I need to take before venturing any further. I'm not new to linux, but I'm definitely not proficient... most of these systems work because of help from howto's and lots of trial and error! :)

Thanks in advance for any advice!

peter_robb 10-22-2004 08:17 AM

Static NAT and port forwarding are different names for the same thing...

It also matters how the NAT is being done, whether it's interface based or ip & port based.. As long as the WAN interface ip number matches the SNAT ip number, that's ok.

The VPN is in the correct position, looking outward and should be issuing ip numbers to match the network the clients want to connect to..

FreesWan has a logging system to record failures, successes etc and the online documentation can help with error codes/messages.. http://www.freeswan.org/freeswan_tre...6/doc/toc.html


All times are GMT -5. The time now is 10:13 AM.