Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick Road Warrior FireBrick Config: Difference between revisions

← Older editNewer edit →
Content deleted Content added
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,659 edits
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,659 edits
Line 33: Line 33:
connected on the LAN, and, if the LAN subnet is routable, the
connected on the LAN, and, if the LAN subnet is routable, the
remote device will also be able to communicate externally.
remote device will also be able to communicate externally.

'''Think about the NAT'''

A problem arises however when the LAN subnet is non-routable (RFC1918 IPs, eg 1923.168.x.x).
In this case the LAN subnet is usually marked NAT in the FB config,
so LAN devices can communicate externally (obviously for outgoing
sessions only). However, for roadwarrior devices the FB has to
know that incoming IPsec packets for the LAN (or the FB) should not
be NATed, but those destined for elsewhere should be (assuming
the roadwarrior devices should be given internet access).

The roaming-pool NAT flag will nat everything, but the FB LAN NAT
flag won't be looked at (it only applies to real traffic originating
on the LAN and destined off-LAN).

This is overcome, either, by using mapping rules, or by disabling NAT on the LAN subnet and instead enabling NAT on the external internet connection, eg in most cases this would be the PPP connection.


==Overview==
==Overview==
Retrieved from "http://support.aa.net.uk/FireBrick_Road_Warrior_FireBrick_Config"