Setting up the network
92 Avaya VPNmanager Configuration Guide Release 3.7
When the SF_VSU receives the reply packet through the tunnel, the tunnel NAT rule changes
the packet’s destination address from 172.16.0.17 to 10.1.1.17 and the private interface NAT
rule changes the packet’s source address from 172.16.1.20 to 10.0.88.20 before the packet is
sent out to the SF_Sales_Group client through the private interface.
The NAT rule applied to the public interface on each of the VSUs allows clients on the private
networks to access the Internet by mapping their private addresses to public address as
described in the previous section
Accessing the Internet from private networks
.
Using NAT to support multiple gateway configurations
Figure 30
shows an example of using NAT to ensure that all replies to packets entering the
network through a security gateway exit the network through the same security gateway. The
NAT rule applied to the security gateway-B private interface dynamically maps the source IP
address of packets sent out the private interface of the security gateway-B to one of 16
addresses assigned to the security gateway-B address pool. Note that the IP address 0.0.0.0/0
matches any packet entering or leaving the security gateway through the designated interface.
When a packet is initially sent from Host A to Host B through the VPN tunnel, security
gateway-B dynamically maps the packet source address (X
1
.X
2
.X
3
.11) to an IP address
selected from the address pool (Y
1
.Y
2
.Y
3
.X) before sending the packet out the private interface.
As a result, reply packets destined for Host A are sent to Y
1
.Y
2
.Y
3
.X. security gateway-B proxy
ARPs for Y
1
.Y
2
.Y
3
.X by sending its own MAC address in response to an ARP request from Host
B. When security gateway-B receives a reply packet on the private interface, it changes the
packet’s destination address (Y
1
.Y
2
.Y
3
.X) back to the original address (X
1
.X
2
.X
3
.11) before
sending the reply to Host A through the VPN tunnel.
A possible alternative to configuring a NAT rule on the private interface of security gateway-B
shown in
Using NAT to Support Multiple Gateways
is to add a static route to the default router
which sends packets destined for the X
1
.X
2
.X
3
.0/24 network through security gateway-B.
Содержание 3.7
Страница 1: ...VPNmanager Configuration Guide Release 3 7 670 100 600 Issue 4 May 2005...
Страница 4: ......
Страница 20: ...Preface 20 Avaya VPNmanager Configuration Guide Release 3 7...
Страница 32: ...Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3 7...
Страница 53: ...Preferences Issue 4 May 2005 53 Figure 16 Tunnel End Point Policy...
Страница 54: ...Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3 7...
Страница 244: ...Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3 7...
Страница 292: ...Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3 7...