North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IPSEC and PAT
In message <[email protected].co m>, Vandy Hamidi writes: > >I know that in Tunnel Mode, IPsec can be NATed and PATed (without IKE on UDP >500 being used), but as I'm trying to break down the process of how it is >working, I've been stumped by this: >NAT - Changes source IP during translation >PAT - Changes source IP and TCP/UDP port to another to track multiple to one >translations. >My question is, how does PAT track the packets with their internal hosts >when there is not a TCP/UDP header to translate. >How does it know which "internal" host a returning ESP packet must be >forwarded to after it un PATs the incoming packet? >thanks and I hope this isn't a totally stupid question. If it is, humor me >;), IPsec can't be PATted, because the TCP and UDP port numbers are in the protected part of the packet. --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com
|