[AusNOG] Exemption to a NAT rule for a particular destination

Geordie Guy elomis at gmail.com
Thu May 1 14:15:46 EST 2014


Hi Folks,

I have a problem whereby traffic going from an IP is NATted to allow access
to the Internet from that IP, with a rule that NATs anything from
10.2.6.0/24 with a PAT rule for 103.247.65.254.  This isn't remarkable,
everything internal goes to the rest of the LANs, anything heading out is
NATted. Traffic has historically either gone to the Internet or another
local l3 network.

An IPSEC tunnel has been established to a business partner and traffic from
this IP going to 172.31.1.3 has to go to them via the tunnel, but the NAT
rule is catching it and NATting it because it isn't destined to a local
network, but to the outside world (albeit after being encrypted and
encapsulated).  This is stopping the traffic entering the tunnel.

I'd thought of adding a new interface to the box in question and decreasing
the scope of the NAT rule so that a particular subnet of 10.2.6.0/24 isn't
covered, but that would necessitate doing some jiggery pokery to somehow
make sure the multihomed host uses one particular interface and source IP
to try and go to the partner.  Is there a way of exempting a particular IP
address or providing some other criteria for a NAT rule?

-  Geordie


PS: (*%&*$ing NAT.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140501/a1c118df/attachment.html>


More information about the AusNOG mailing list