How to configure VPN pass-through on a Symantec Gateway Security 5000 Series v3.x appliance

Article:TECH84314  |  Created: 2006-01-15  |  Updated: 2012-03-27  |  Article URL http://www.symantec.com/docs/TECH84314
Article Type
Technical Solution


Issue



You need to pass non-IPSec VPN traffic through your Symantec Security Gateway 5000 Series v3.x appliance, to a VPN concentrator that is on your service network.

Symptoms
How to configure VPN pass-through on a Symantec Gateway Security 5000 Series v3.x appliance You need to pass non-IPSec VPN traffic through your Symantec Security Gateway 5000 Series v3.x appliance, to a VPN concentrator that is on your service network.


 


Solution



To pass VPN traffic through your appliance, you must make the following configuration changes to your appliance:

  • Create appropriate network entities for you VPN endpoints and, if needed, for your VPN clients.
  • Create a static one-to-one NAT pool and address transform for outbound traffic from your VPN endpoint.
  • Create an inbound address transform to use the original IP address of your external VPN clients or endpoints.
  • Create a rule to permit the VPN traffic to pass through your gateway.


Create network entities for your VPN endpoint and optionally for you VPN clients
You must define both endpoints of the traffic for use in transforms and rules.

If you need to restrict VPN connections to specific IP addresses, then you must create network entities for the IP addresses from which you permit connections. If you want to permit any IP address to make a connection to your VPN endpoint, then you can use the Universe entity instead.

To create a network entity for your internal VPN endpoint
  1. In the left pane of the Security Gateway Management Interface (SGMI), under Assets, click Network
  2. In the right pane on the Network Entities tab, click New > Host Entity.
  3. In the Host Entity Properties dialog box, in the Name text box, type a unique name for the entity.
  4. In the IP Address text box, type the IP address of your VPN endpoint.
  5. Click OK.
  6. In the SGMI, on the toolbar click Activate,
    When you are asked to save your changes, click Yes.

Your VPN endpoint host entity is complete. If you have multiple VPN endpoints inside of your network to which you need to permit access, create a host entity for each endpoint. When all of the host entities are complete, create a group entity to contain all of the host entities.

To create a Network Entity for your external VPN clients
  1. In the left pane of the SGMI, under Assets, click Network
  2. In the right pane on the Network Entities tab, click New > Host Entity.
  3. In the Host Entity Properties dialog box, in the Name text box, type a unique name for the entity.
  4. In the IP Address text box, type the IP address of your VPN client.
  5. Click OK.
  6. In the SGMI, on the toolbar click Activate,
    When you are asked to save your changes, click Yes.

Your VPN client host entity is complete. If you have multiple client for which you need to permit access, you must create a host entity for each client IP address. When all of you VPN client host entities are complete, then create a group entity to contain them all.


Create a static one-to-one NAT pool and address transform
You must create a NAT pool and address transform so that all traffic to and from your VPN endpoint appears to be from a publicly routable IP address. If your service network uses publicly routable IP addresses, then you do not need to create a NAT pool, but you must create an address transform to maintain the original IP address.

If your service network uses private IP addresses, then you must also create subnet entities for the public IP address to which you transform the VPN endpoint and for the real IP address of the VPN endpoint.

To create a static one-to-one NAT pool
  1. In the left pane of the SGMI, under Assets, click Network.
  2. In the right pane on the NAT Pools tab, click New NAT Pool > Static NAT Pool.
  3. In the Properties dialog box, on the General tab, in the NAT Pool Name text box, type a descriptive name for this NAT pool.
  4. In the Real Subnet drop-down list, click the network entity that represents the real IP address of your VPN endpoint.
  5. In the NAT subnet drop-down list, click the network entity that represents the IP address to which the VPN endpoint is transformed.
  6. Click OK.
  7. In the SGMI, on the toolbar click Activate,
    When you are asked to save your changes, click Yes.

To create the outbound address transform
  1. In the left pane of the SGMI, under Assets, click Network.
  2. In the right pane on the Address Transforms tab, click New Address Transform.
  3. In the Properties dialog box, on the General tab, configure the following properties:
    Property Value
    Name Type a unique name for the transform
    For connections coming in via Click the network interface of your service network
    From source Click the network entity for the real IP address of your VPN endpoint
    Coming out via Click the external network interface
    Destined for Click Universe* or a network entity that represents the VPN clients
  4. On the Source Address Transform tab do one of the following:
    • If you use private IP addresses on your service network, click Use NAT Pool, and then continue to the next step.
    • If you use routable IP addresses on your service network, click Use Original Source Address and then continue to step 6.
  5. In the drop-down list, click the NAT pool that you created.
  6. Click OK.
  7. In the SGMI, on the toolbar click Activate,
    When you are asked to save your changes, click Yes.


Create an inbound address transform
The inbound address transform forces your security gateway to pass the original IP address of the external client computer or VPN endpoint. If you had no inbound address transform, all for the incoming VPN connections would appear to originate from your security gateway.

To create the inbound address transform
  1. In the left pane of the SGMI, under Assets, click Network.
  2. In the right pane on the Address Transforms tab, click New Address Transform.
  3. In the Properties dialog box, on the General tab, configure the following:
    Property Value
    Name Type a unique name for the transform
    For connections coming in via Click the external network interface
    From source Click Universe* or a network entity that represents the VPN clients
    Coming out via Click the network interface of your service network
    Destined for Click the network entity for the real IP address of your VPN endpoint.
  4. On the Source Address Transform tab, click Use Original Source Address.
  5. Click OK.
  6. In the SGMI, on the toolbar click Activate,
    When you are asked to save your changes, click Yes.

Create a rule to permit VPN traffic
You must create a rule to pass the VPN protocols that your tunnel uses.

To create a rule to permit VPN traffic through your security gateway
  1. In the left pane of the SGMI, under Policy, click Firewall.
  2. In the right pane, on the Rules tab, click New Rule.
  3. In the Properties window, on the General tab, configure the following properties:
  4. Property Value
    Name Type a unique name for the rule
    Enable Checked
    Arriving Through Click the external network interface.
    Source Click Universe*, or click the network entity for your VPN clients.
    Destination Click the network entity for your VPN endpoint
    Service Group Click the service group that contains your VPN protocols.
  5. Click OK.
  6. In the SGMI, on the toolbar click Activate,
    When you are asked to save your changes, click Yes.

You can now connect VPN tunnels to your internal VPN endpoint.





 



Legacy ID



2006031509182854


Article URL http://www.symantec.com/docs/TECH84314


Terms of use for this information are found in Legal Notices