Chapter 14 IPSec VPN

Table 88 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued)

LABEL

DESCRIPTION

Port Forwarding

If you are configuring a Many-to-Onerule, click this button to go to a screen

Rules

where you can configure port forwarding for your VPN tunnels. The VPN

 

network policy port forwarding rules let the ZyWALL forward traffic coming in

 

through the VPN tunnel to the appropriate IP address.

 

 

Type

Select One-to-Oneto translate a single (static) IP address on your LAN to a

 

single virtual IP address.

 

Select Many-to-Oneto translate a range of (static) IP addresses on your LAN

 

to a single virtual IP address. Many-to-one rules are for traffic going out from

 

your LAN, through the VPN tunnel, to the remote network. Use port forwarding

 

rules to allow incoming traffic from the remote network.

 

Select Many One-to-Oneto translate a range of (static) IP addresses on your

 

LAN to a range of virtual IP addresses.

 

 

Private Starting IP

Specify the IP addresses of the devices behind the ZyWALL that can use the

Address

VPN tunnel.

 

When you select One-to-Onein the Type field, enter the (static) IP address of a

 

computer on the LAN behind your ZyWALL.

 

When you select Many-to-Oneor Many One-to-Onein the Type field, enter

 

the beginning (static) IP address in a range of computers on the LAN behind

 

your ZyWALL.

 

 

Private Ending IP

When you select Many-to-Oneor Many One-to-Onein the Type field, enter

Address

the ending (static) IP address in a range of computers on the LAN behind your

 

ZyWALL.

 

 

Virtual Starting IP

Enter the (static) IP addresses that represent the translated private IP

Address

addresses. These must correspond to the remote IPSec router's configured

 

remote IP addresses.

 

When you select One-to-Oneor Many-to-Onein the Type field, enter an IP

 

address as the translated IP address. Many-to-one rules are only for traffic

 

going to the remote network. Use port forwarding rules to allow incoming traffic

 

from the remote network.

 

When you select Many One-to-Onein the Type field, enter the beginning IP

 

address of a range of translated IP addresses.

 

 

Virtual Ending IP

When you select Many One-to-Onein the Type field, enter the ending (static)

Address

IP address of a range of translated IP addresses.

 

The size of the private address range must be equal to the size of the translated

 

virtual address range.

 

 

Local Network

Specify the IP addresses of the devices behind the ZyWALL that can use the

 

VPN tunnel. The local IP addresses must correspond to the remote IPSec

 

router's configured remote IP addresses.

 

Two active SAs cannot have the local and remote IP address(es) both the

 

same. Two active SAs can have the same local or remote IP address, but not

 

both. You can configure multiple SAs between the same local and remote IP

 

addresses, as long as only one is active at any time.

 

 

Address Type

Use the drop-down list box to choose Single Address, Range Address, or

 

Subnet Address. Select Single Address for a single IP address. Select

 

Range Address for a specific range of IP addresses. Select Subnet Address

 

to specify IP addresses on a network by their subnet mask.

 

 

Starting IP Address

When the Address Type field is configured to Single Address, enter a (static)

 

IP address on the LAN behind your ZyWALL. When the Address Type field is

 

configured to Range Address, enter the beginning (static) IP address, in a

 

range of computers on the LAN behind your ZyWALL. When the Address Type

 

field is configured to Subnet Address, this is a (static) IP address on the LAN

 

behind your ZyWALL.

 

 

324

 

ZyWALL 2WG User’s Guide