[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] NAT vs. PAT??

To: Keith Fontenot <keith_fontenot@anadarko.COM>
Subject: Re: [FW1] NAT vs. PAT??
From: bbbrandt@mmm.com
Date: Thu, 15 Apr 1999 08:57:34 -0500
Cc: Firewall-1 mailing list <fw-1-mailinglist@lists.us.checkpoint.com>

Keith,

In my experience, NAT (vs. PAT) is usually a better choice if the addresses for
many-to-many NAT are available.  One specific example is for ISAKMP/Oakley key
exchange used for setting up dynamic
IPSec VPNs.  This works with most NATs, but will not work with any PATs as it
requires UDP/500 for
both the source and destination transport layer port numbers.   PAT definitely
breaks this.

There are probably other examples, but I do not know of any offhand.

Bob Brandt, 3M, bbbrandt@mmm.com

Keith Fontenot wrote:

> Is there is preference to using NAT(many to many) over PAT(many to one)?  In
> other words if the addresses are available does using NAT buy you anything
> over using PAT?
>
> Thanks,
> Keith
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] ANY-ANY-ANY-ACCEPT? I think not...
Next by Date: RE: [FW1] mime types and virus scan software
Prev by thread: Re: [FW1] NAT vs. PAT??
Next by thread: [FW1] Websense and Authentication
Index(es):
- Date
- Thread