Avaya 3.7 Manuel D’Utilisation
Setting up the network
92 Avaya VPNmanager Configuration Guide Release 3.7
When the SF_VSU receives the reply packet through the tunnel, the tunnel NAT rule changes
the packet’s destination address from 172.16.0.17 to 10.1.1.17 and the private interface NAT
rule changes the packet’s source address from 172.16.1.20 to 10.0.88.20 before the packet is
sent out to the SF_Sales_Group client through the private interface.
the packet’s destination address from 172.16.0.17 to 10.1.1.17 and the private interface NAT
rule changes the packet’s source address from 172.16.1.20 to 10.0.88.20 before the packet is
sent out to the SF_Sales_Group client through the private interface.
The NAT rule applied to the public interface on each of the VSUs allows clients on the private
networks to access the Internet by mapping their private addresses to public address as
described in the previous section
networks to access the Internet by mapping their private addresses to public address as
described in the previous section
.
Using NAT to support multiple gateway configurations
shows an example of using NAT to ensure that all replies to packets entering the
network through a security gateway exit the network through the same security gateway. The
NAT rule applied to the security gateway-B private interface dynamically maps the source IP
address of packets sent out the private interface of the security gateway-B to one of 16
addresses assigned to the security gateway-B address pool. Note that the IP address 0.0.0.0/0
matches any packet entering or leaving the security gateway through the designated interface.
NAT rule applied to the security gateway-B private interface dynamically maps the source IP
address of packets sent out the private interface of the security gateway-B to one of 16
addresses assigned to the security gateway-B address pool. Note that the IP address 0.0.0.0/0
matches any packet entering or leaving the security gateway through the designated interface.
When a packet is initially sent from Host A to Host B through the VPN tunnel, security
gateway-B dynamically maps the packet source address (X
gateway-B dynamically maps the packet source address (X
1
.X
2
.X
3
.11) to an IP address
selected from the address pool (Y
1
.Y
2
.Y
3
.X) before sending the packet out the private interface.
As a result, reply packets destined for Host A are sent to Y
1
.Y
2
.Y
3
.X. security gateway-B proxy
ARPs for Y
1
.Y
2
.Y
3
.X by sending its own MAC address in response to an ARP request from Host
B. When security gateway-B receives a reply packet on the private interface, it changes the
packet’s destination address (Y
packet’s destination address (Y
1
.Y
2
.Y
3
.X) back to the original address (X
1
.X
2
.X
3
.11) before
sending the reply to Host A through the VPN tunnel.
A possible alternative to configuring a NAT rule on the private interface of security gateway-B
shown in
shown in
is to add a static route to the default router
which sends packets destined for the X
1
.X
2
.X
3
.0/24 network through security gateway-B.