Trust me, I'm very familiar with FTP and firewalls. The problem is not just with NAT, but exists with SPI. Both are solved problems that work with NAT. Something like ftp over SSH works well without fixup or NAT issues and is becoming more standard at least in the financial services community. IPSEC to a NAT/SPI firewall works fine, through it has issues. But then again, rarely do you want that in a corporate network anyway.
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Thursday, February 03, 2011 2:29 PM To: Matthew Huff Cc: Owen DeLong; nanog@nanog.org Subject: Re: quietly....
On Thu, 03 Feb 2011 13:41:26 EST, Matthew Huff said:
Owen, can you point to a application protocol that is broken via NAT that isn't a p2p protocol or VoIP?
The only reason FTP works through a NAT is because the NAT has already been hacked up to further mangle the data stream to make up for the mangling it does.
I'm told that IPSEC through a NAT can be interesting too... And that's something I'm also told some corporations are interested in.