Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 1234 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT in place of MASQ?

BarryG
Hi,
In 7.3x, I've found that I can't MASQ to an "additional address" on the EXT interface.

Therefore, I'm wondering if this would achieve the same thing:
SNAT source INT service ANY dest ANY, SNAT source to EXT2

Thanks,
Barry


This thread was automatically locked due to age.
Parents
  • 0
    Sounds like it should work.  Let me know.  I was thinking of using SNAT to give one group exclusive access to "their" Internet connection: SNAT source [Network for Engineers] service HTTP dest ANY, SNAT source to EXT2, so I'm interested in the result of your experiment.

    Can't use policy routing because we're using HTTP Proxy in Transparent mode.

    Thanks - Bob
  • 0 in reply to BAlfson
    OK, I tried it, but as I was setting it up, I realized that it would break my site-to-site VPNs.

    Anyways, it works for the internet, but as I thought, servers in that site cannot initiate connections through the VPNs as they are now SNAT'd to an external address. [:(]

    I don't see any way around this, except possibly doing another set of SNATs for each of the VPNs, which seems horribly complex.

    Barry
  • 0 in reply to BarryG
    Feature Request:
    Would it be possible to be able to choose an 'additional address' instead of only an interface on the MASQ setup?

    Thanks,
    Barry
  • 0 in reply to BarryG
    What if you were using IPSec instead of SSL - would there be the confusion?
  • 0 in reply to BAlfson
    I am using IPSec for the Site-to-Site VPNs.

    Thanks,
    Barry
Reply Children
No Data