Avaya 3.7 Manuel D’Utilisation
Setting up the network
90 Avaya VPNmanager Configuration Guide Release 3.7
In the example shown in
, when client 10.1.2.101 initially sends a packet to a host on
the public network, the security gateway dynamically maps the client’s private address
10.1.2.101 to a public address selected from the N
10.1.2.101 to a public address selected from the N
1
.N
2
.N
3
.0/24 address pool. Since the packet
is going out the public interface, the security gateway changes the packet’s source address
10.1.2.101 to its assigned public address N
10.1.2.101 to its assigned public address N
1
.N
2
.N
3
.X.
When the public host receives the packet, it sends a reply to N
1
.N
2
.N
3
.X. The reply packet is
routed into the security gateway through the public interface, the security gateway changes the
packet’s destination address back to the client’s private address 10.1.2.101 before sending the
packet back to the client.
packet’s destination address back to the client’s private address 10.1.2.101 before sending the
packet back to the client.
The public address assigned to the client’s private address remains in effect until the client
traffic is idle for a user-defined period of time. When this idle period is reached, the mapped
address is returned to the pool of available addresses. When all public addresses have been
assigned, no other private clients can initiate a connection to the public network until a public
address becomes available.
traffic is idle for a user-defined period of time. When this idle period is reached, the mapped
address is returned to the pool of available addresses. When all public addresses have been
assigned, no other private clients can initiate a connection to the public network until a public
address becomes available.
One limitation for dynamic mapping is that communication with remote hosts on the public
network can only be initiated from clients on the private network. If communication initiated from
either the public or private side is required, static address mapping must be used. Static
address mapping permanently maps private addresses to their corresponding public
addresses, thereby allowing communication between clients and hosts to be initiated from
either the private or public network.
network can only be initiated from clients on the private network. If communication initiated from
either the public or private side is required, static address mapping must be used. Static
address mapping permanently maps private addresses to their corresponding public
addresses, thereby allowing communication between clients and hosts to be initiated from
either the private or public network.
Setting up VPN with overlapping private addresses
private network addresses while still allowing private network connections to the Internet. Three
NAT rules are applied to each security gateway: one on the private interface, one on the public
interface, and one on the VPN tunnel. A DNS entry is also required for each host that can be
reached through the tunnel.
NAT rules are applied to each security gateway: one on the private interface, one on the public
interface, and one on the VPN tunnel. A DNS entry is also required for each host that can be
reached through the tunnel.
The tunnel-mode VPN, named Sales_VPN, provides a secure connection between the
SF_Sales_Group and LA_Sales_Group over the public network. Since both sites are using the
same private network addresses, NAT mapping must be performed on packets entering and
leaving the Sales_VPN tunnel. This is required to ensure that unique host addresses are used
on each side of the tunnel.
SF_Sales_Group and LA_Sales_Group over the public network. Since both sites are using the
same private network addresses, NAT mapping must be performed on packets entering and
leaving the Sales_VPN tunnel. This is required to ensure that unique host addresses are used
on each side of the tunnel.
Communication between a member of the SF_Sales_Group and the server in LA_Sales_Group
starts with a DNS lookup of the LA_Sales_Group server address which in this example returns
a destination address of 10.0.88.20. The SF_VSU proxy ARPs for 10.0.88.20 by sending its
own MAC address in response to an ARP request.
starts with a DNS lookup of the LA_Sales_Group server address which in this example returns
a destination address of 10.0.88.20. The SF_VSU proxy ARPs for 10.0.88.20 by sending its
own MAC address in response to an ARP request.
When the packet sent from 10.1.1.17 to 10.0.88.20 enters SF_VSU
through the private interface, its destination address is changed from 10.0.88.20 to 172.16.1.20
by applying the NAT rule assigned to the security gateway’s private interface.
through the private interface, its destination address is changed from 10.0.88.20 to 172.16.1.20
by applying the NAT rule assigned to the security gateway’s private interface.
The SF_VSU performs a VPN lookup and determines that the packet
needs to be tunneled to the LA_VSU. Since the packet is leaving the SF_VSU through the
Sales_VPN tunnel, the SF_VSU applies the tunnel NAT rule to the packet’s source address
needs to be tunneled to the LA_VSU. Since the packet is leaving the SF_VSU through the
Sales_VPN tunnel, the SF_VSU applies the tunnel NAT rule to the packet’s source address