NAT gateway and IPSec-tunnel on the same box - impossible?

Hi,

I have a test-environment where I am using Windows Server 2003 as the router
and
gateway to the Internat using NAT and Basic Firewall. I additionally want to
create an IPSec-tunnel (no PPTP/L2TP) to a non Windows gateway to connect
two subnets. NAT is working properly and the IPSec-tunnel is established too
but as the interface is defined as the external interface the
network-packets designated to pass the IPSec-tunnel are translated by NAT
which finally causes the IPSec-tunnel to be worthless.
My question is whether it is possible for the external interface to exclude
a specific range of target-addresses from being translated?

Here some more details on the environment:

NetA 10.0.0.0 / 255.255.255.0
NetB 10.0.1.0 / 255.255.255.0

Gateway 1:
Windows 2003: internal: 10.0.0.1, external 192.168.0.1
+ configured to NAT all internet traffic using 192.168.0.1
+ confgured to create an IPSec-tunnel between 192.168.0.1 and 192.168.0.2
for tunneling 10.0.1.x

Gateway 2:
IPCop: internal 10.0.1.1, external 192.168.0.2
+ confgured to create an IPSec-tunnel between 192.168.0.2 and 192.168.01
for tunneling 10.0.0.x

Result: (verified by using network monitor)
A ping from NetA to 10.0.1.1 causes a translation of the source-address to
192.168.0.1 on the external interface of Windows 2003 so it will not cross
the tunnel - any ideas how to avoid translation for 10.0.1.x using Windows
2003 supplied mechanisms only?

Note: The tunnel endpoints have to be the external IP-addresses as
IPSec-Tunnel mode packets cant be NATed


Any feedback highly appreciated,
Thanks, Hannes

"Johannes Mayr" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> My question is whether it is possible for the external interface to
exclude
> a specific range of target-addresses from being translated?
>
> NetA 10.0.0.0 / 255.255.255.0
> NetB 10.0.1.0 / 255.255.255.0

Those are private addresses. They are not compatible with the Internet.
eliminating NAT for them will make them worthless.

IPSec requires NAT-T (NAT Traversal) it does not work with NAT.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks for your response

As I am intending to create an IPSec-tunnel from the one gateway to the
other NAT-T is not required here - the IPSec tunnel goes from the external
interface of gateway 1 (W2k3) to the external interface of gateway 2 (IPCop)

The idea of eliminating NAT would work as the IPSec policy exactly tunnels
these addresses and they would never reach the internet - taking a look at
the network architecture the IPSec-filter is below the NAT filter and thus
if the NAT filter would not translate the specific range (e.g. 10.0.0.x or
10.0.1.x) IPSec would tunnel these packets in case the policy is correctly
defined.

Using a demand-dial connection would solve all my problems but this would
require PPTP or L2TP/IPSec; I would - if somehow possible - prefer an native
IPSec-tunnel.

Hannes.



"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
>
> "Johannes Mayr" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> My question is whether it is possible for the external interface to
> exclude
>> a specific range of target-addresses from being translated?
>>
>> NetA 10.0.0.0 / 255.255.255.0
>> NetB 10.0.1.0 / 255.255.255.0
>
> Those are private addresses. They are not compatible with the Internet.
> eliminating NAT for them will make them worthless.
>
> IPSec requires NAT-T (NAT Traversal) it does not work with NAT.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>