Hello, On Thu, 17 Jul 2003, Christian Stuellenberg wrote: > If traffic from zone MASQ is addressed to one of the external internet > addresses of one of the zone GOOD or DMZ, then it will currently get > routed directly at HOST. It is intended, that this direct routing is > not done, but instead ALL traffic from zone MASQ becomes masqueraded > out over the dynamic PPP connection to the internet, comes back over > the CISCO line to HOST, then gets routed to the extern destination IP > (in zone GOOD or DMZ) and when the reply from there comes back again > to HOST, it should get routed over the CISCO internet connection and > then back over the dynamic PPP connection, demasqueraded, and at last > delivered to the original source in zone MASQ. > > This works up to the point, where the reply comes back to HOST. Now > I'm not able to tell HOST, that this reply should again routed out > to the internet over the CISCO line and only demasqueraded if it comes > in over the PPP connection (btw. the demasquerading does also not > occur if the reply gets not routed; I assume, this is because the > masquerding tables are waiting for a packet that comes in over the PPP > connection and not on IF0 or IF1). I think, I understand the setup. I'm still wondering what is the end goal. I can only speculate: Assumption 1. Hosts from GOOD want to see client from DynIP, not from a.b.c.62. The solution: use SNAT with saddr=DynIP when talking to GOOD because the default masquerade action is to use a.b.c.62 which is recommended from the routing. I assume GOOD and DMZ do not care how the packet with saddr=DynIP appeared as long as it looks as expected? 2. For some reason (even by introducing security problems) you want packets with saddr=DynIP to walk the external path and to reach GOOD. Is it needed? Is there a problem with the above solution in #1? > Regards, > Christian Regards -- Julian Anastasov <ja@xxxxxx>
