> > Think about it a second, goes in one interface, comes out the same=20
> > interface.... "one-armed" just change the addresses in the masq file =
> > eth0 192.168.168.0/24
> #the exampe of the one armed router:
> #INTERFACE SUBNET ADDRESS
> eth0:!192.168.1.0/24 192.168.1.0/24
> #your idea:
> #eth0:192.168.168.0/24 192.168.168.0/24
> That sounds like: If you get something for 192.168.168.0/24 send it =
> to eth0. A client of that subnet would not contact the gateway to =
> a client of its own subnet.
Think you just answered you own question.
Why are you trying to contact the gateway? You should be=20
using 192.168.168.190 as the target, not 192.168.10.xxx
There is no route to that subnet, and all the traffic from=20
192.168.10.xxx appears to come from 192.168.168.190=20
anyway, to any machine on 192.168.168.0/24....
> I think it should be rather:
> #eth0:192.168.10.0/24 192.168.168.0/24
> Anyway: On client 192.168.168.20 I ping 192.168.10.20.
How do you port forward a icmp packet, with the second nat device?
You can't right?=20
> Different subnet -> gateway.
> The gateway receives on eth0 for destination 192.168.10.0/24, so =
> it back to eth0.
> Is that a broadcast to 192.168.168.0/24?
> Can't shorewall route this directly to 192.168.168.190 (NAT-Gateway)?
This is like FAQ2, just a different service.
For just one you would need a dnat rule and a masq rule. example:
DNAT loc loc:192.168.168.190 tcp 22 - 192.168.10.20
eth0 192.168.168.0/24 192.168.168.202 tcp 22
Might do it, I'm not testing this, I think it's a bit silly.
> > The second nat device is treating your lan like your firewall treats =
> > hides all the addresses behind one ip. To connect to anything behind =
> > you would need to enable port forwarding on it. You would then need =
> > the connection to 192.168.168.190. You can't connect directly to any =
> > 192.168.10.0/24 machines, just as nobody on the internet can connect =
> > stuff unless the is a dnat rule in the firewall. If you can disable =
the nat, and just
> > forward, you can then route to 192.168.10.0/24 though =
> Of course, so far I just do ssh to 192.168.168.190(NAT) and this =
> knows about ssh forwarding to a client such as 192.168.10.20
So in the end, what are you trying to accomplish? Access to every =
192.168.10.x or just a couple? What services?
>Thanks for your help and time so far, Jerry.
>I am still at the beginning of Cisco's Academy:)
I had better not be doing your homework.....