Policy NAT to exclude several networks

Hello majordomo,

I wrote this mail a couple of weeks back, but never received a
reply or confirmation. So I re-try it again...

We have an office LAN in two separate buildings (two rooms).

These LANs are connected to a common "magistral" line by two
firewall/routers with IPF 4.1.19+PFIL 2.1.12 on Solaris 8 x86.
This "magistral" line also links these firewalls (and some
nearby partner offices' firewalls) to the Internet.

There are several IP address ranges in each room, including
private IPs which are NATed on the firewalls.

We want to use the hosts' own local IP addresses (even if these
are the private IPs) when communicating between rooms, so that
NAT only takes place if the hosts communicate to Internet.

From the FAQ and the documentation I believe this falls under
the "Policy NAT" rules, but this is scarcely documented, thus
I am uncertain which syntax to use (if defining several Policy
NAT exceptions is supported at all).

For example, what we *mean* to achieve is that if destination
IP is NOT in either range 194.12.34.64/26 nor 192.168.128.0/24
(not a connection from one room's private subnet to the other
room's subnets), then do NAT. Otherwise pass the source/dest
addresses as-is.

The only syntax we found to pass the syntax check is:

map elxl1 from 192.168.129.0/24 ! to 194.12.34.64/26 -> 194.12.33.113/32
map elxl1 from 192.168.129.0/24 ! to 192.168.128.0/24 -> 194.12.33.113/32

However this only works for one of the rules (the first one,
I believe), so packets for the second subnet mentioned become
translated by NAT.

Recent IPFs also allow to define ippool names to group addresses.
This only seems to work for ipf filtering, and the following line
in ipnat.conf breaks the syntax check:

map elxl1 from 192.168.129.144/28 ! to pool/real217 -> 194.67.183.113/32

To sum it up, the question stands: can we not-NAT several subnets
and if yes - what is the proper syntax?

--
Best regards,
COS&HT Admin mailto:admin@cos.ru