Setting up the network
90 Avaya VPNmanager Configuration Guide Release 3.7
In the example shown in
Figure 28
, when client 10.1.2.101 initially sends a packet to a host on
the public network, the security gateway dynamically maps the client’s private address
10.1.2.101 to a public address selected from the N
1
.N
2
.N
3
.0/24 address pool. Since the packet
is going out the public interface, the security gateway changes the packet’s source address
10.1.2.101 to its assigned public address N
1
.N
2
.N
3
.X.
When the public host receives the packet, it sends a reply to N
1
.N
2
.N
3
.X. The reply packet is
routed into the security gateway through the public interface, the security gateway changes the
packet’s destination address back to the client’s private address 10.1.2.101 before sending the
packet back to the client.
The public address assigned to the client’s private address remains in effect until the client
traffic is idle for a user-defined period of time. When this idle period is reached, the mapped
address is returned to the pool of available addresses. When all public addresses have been
assigned, no other private clients can initiate a connection to the public network until a public
address becomes available.
One limitation for dynamic mapping is that communication with remote hosts on the public
network can only be initiated from clients on the private network. If communication initiated from
either the public or private side is required, static address mapping must be used. Static
address mapping permanently maps private addresses to their corresponding public
addresses, thereby allowing communication between clients and hosts to be initiated from
either the private or public network.
Setting up VPN with overlapping private addresses
Figure 29
shows an example of using NAT to set up VPNs between two sites that use the same
private network addresses while still allowing private network connections to the Internet. Three
NAT rules are applied to each security gateway: one on the private interface, one on the public
interface, and one on the VPN tunnel. A DNS entry is also required for each host that can be
reached through the tunnel.
The tunnel-mode VPN, named Sales_VPN, provides a secure connection between the
SF_Sales_Group and LA_Sales_Group over the public network. Since both sites are using the
same private network addresses, NAT mapping must be performed on packets entering and
leaving the Sales_VPN tunnel. This is required to ensure that unique host addresses are used
on each side of the tunnel.
Communication between a member of the SF_Sales_Group and the server in LA_Sales_Group
starts with a DNS lookup of the LA_Sales_Group server address which in this example returns
a destination address of 10.0.88.20. The SF_VSU proxy ARPs for 10.0.88.20 by sending its
own MAC address in response to an ARP request.
When the packet sent from 10.1.1.17 to 10.0.88.20 enters SF_VSU
through the private interface, its destination address is changed from 10.0.88.20 to 172.16.1.20
by applying the NAT rule assigned to the security gateway’s private interface.
The SF_VSU performs a VPN lookup and determines that the packet
needs to be tunneled to the LA_VSU. Since the packet is leaving the SF_VSU through the
Sales_VPN tunnel, the SF_VSU applies the tunnel NAT rule to the packet’s source address
Summary of Contents for 3.7
Page 1: ...VPNmanager Configuration Guide Release 3 7 670 100 600 Issue 4 May 2005...
Page 4: ......
Page 20: ...Preface 20 Avaya VPNmanager Configuration Guide Release 3 7...
Page 32: ...Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3 7...
Page 53: ...Preferences Issue 4 May 2005 53 Figure 16 Tunnel End Point Policy...
Page 54: ...Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3 7...
Page 244: ...Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3 7...
Page 292: ...Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3 7...