Table of Contents
Advertisement
Chapter 20 IPSec VPN
• Destination - the original destination address; the local network (A).
• SNAT - the translated source address; a different IP address (range of addresses) to hide
the original source address.
20.1.2.2.3 Destination Address in Inbound Packets (Inbound Traffic, Destination NAT)
You can set up this translation if you want the ZyWALL to forward some packets from the
remote network to a specific computer in the local network. For example, in
page
295, you can configure this kind of translation if you want to forward mail from the
remote network to the mail server in the local network (A).
You have to specify one or more rules when you set up this kind of NAT. The ZyWALL
checks these rules similar to the way it checks rules for a firewall. The first part of these rules
define the conditions in which the rule apply.
• Original IP - the original destination address; the remote network (B).
• Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection.
• Original Port - the original destination port or range of destination ports; in
page
295, it might be port 25 for SMTP.
The second part of these rules controls the translation when the condition is satisfied.
• Mapped IP - the translated destination address; in
of the mail server in the local network (A).
• Mapped Port - the translated destination port or range of destination ports.
The original port range and the mapped port range must be the same size.
20.2 VPN Related Configuration
This section briefly explains the relationship between VPN tunnels and other features. It also
gives some basic suggestions for troubleshooting.
You should set up the following features before you set up the VPN tunnel.
• In any VPN connection, you have to select address objects to specify the local policy and
remote policy. You should set up the address objects first.
• In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, VLAN
interface, or virtual VLAN interface to specify what address the ZyWALL uses IP address
when it establishes the IKE SA. You should set up the interface first. See
page
179.
• In a VPN gateway, you can enable extended authentication. If the ZyWALL runs in server
mode, you should set up the authentication method (AAA server) first. The authentication
method specifies how the ZyWALL authenticates the remote IPSec router. See
on page
• In a VPN gateway, the ZyWALL and remote IPSec router can use certificates to
authenticate each other. You should import the certificate first. See
545.
You should set up the following features before the network can use the VPN tunnel.
• The ZyWALL does not put IPSec SA in the routing table. You must create a policy route
for the VPN tunnel. See
296
531.
Chapter 12 on page
Figure 197 on page
Chapter 40 on page
225.
ZyWALL USG 1000 User's Guide
Figure 197 on
Figure 197 on
295, the IP address
Chapter 10 on
Chapter 38
Advertisement
Table of Contents
Troubleshooting
