How it Works
Hp
Loading...
sa3110

Hp sa3110, sa3150, sa3400, sa3450 network layout reference guide

hewlett-packard vpn server
appliance sa3110/sa3150/
sa3400/sa3450
network layout reference guide
Hewlett-Packard Company
HP: 5971-0873
P/N: A5 5307-00 1
March 2001
Disclaimer
Disclaimer
Disclaimer Disclaimer
Information in this document is provided in connection with Hewlett-Packard Company products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this d ocument. Except as provided in Hewlett-Packard Company’s Terms and Conditi on s of Sale for such products, Hewlett-Packard Company assumes no liability whatsoever, and Hewlett-Packard Company disclaims any express or implied warranty, relating to sale and/or use of Hewlett-Packard Company products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Hewlett-Packard Company products are not intended for use in medical, life saving, or life sustaining applications.
Hewlett-Packard Company may make changes to specifications and product descriptions at any time, without notice.
Hewlett-Packard VPN Server Appliance SA3110/SA3150/
This
SA3400/SA3450 Network Layout Reference Guide
the software described in it is furnished under license and may only be used or copied in accordance with the terms of the license. The information in this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Hewlett-Packard Company. Hewlett-Pac kard Compa ny assumes no re sponsibility or liability for any erro rs or inaccur acies that may appear in th is document or any software that may be provided in association with this document.
, as well as
Except as permitted by such license, no part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Hewlett-Packard Company.
Copyright © Hewlett-Packard Company 2001.
iii
iv
Contents
Contents
ContentsContents
HP VPN Server Appli ance SA 31 10/SA3150/SA3400/SA 3450 Network
HP VPN Server Appli ance SA 31 10/SA3150/SA3400/SA 3450 Network
HP VPN Server Appli ance SA 31 10/SA3150/SA3400/SA 3450 Network HP VPN Server Appli ance SA 31 10/SA3150/SA3400/SA 3450 Network Layout Reference Guide
Layout Reference Guide
Layout Reference GuideLayout Reference Guide
Network Layout Reference Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Client Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
LAN-to-LAN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Client Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
One-Armed Router Configuration With No Firewall. . . . . . . . . . . . . . . . . . . . . . . . . 2
Inline Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
In Parallel With Firewall (Extranet or Intranet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Bridge Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Edge Router Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Behind a Firewall With or Without NAT (One-Armed) . . . . . . . . . . . . . . . . . . . . . 11
Behind a Firewall With or Without NAT (Inline) . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The VPN Device as a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
LAN-to-LAN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
In Parallel With a Firewall (Without NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
In Parallel With a Firewall (With NAT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Behind a Firewall (One-Armed) With or Without NAT . . . . . . . . . . . . . . . . . . . . . 21
Behind a Firewall That May or May Not Use NAT (Inline) . . . . . . . . . . . . . . . . . . 24
The VPN Device as a Firewall (With or Without NAT) . . . . . . . . . . . . . . . . . . . . . 27
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide i
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
Network Layout Reference Guide
1
Network Layout Reference Guide
Network Layout Reference Guide Network Layout Reference Guide
The purpose of this you install the HP VPN Server Appliance SA3110/SA3150/ SA3400/SA3450 in your network. The term VPN device is used in this document to refer to all of these devices.
Here are some real-world examples of how the VPN device can be incorporated into your network infrastructure. Skim through the following scenarios and find the ones most similar to your network configuration. Then, note the corresponding configuration options to help you quickly install the VPN device into your network.
Scenarios are divided into client and LAN-to-LAN.
Client Scenarios
Client Scenarios One-armed router configuration (VPN server) with no
Client ScenariosClient Scenarios
firewall
Inline router configuration
In parallel with firewall (for extranet or intranet)
Bridge configuration
Edge router configuration
Behind a firewall (one-armed) that may or may not use network address translation (NAT)
Behind a firewall (inline) that may or may not use NAT
VPN device as a firewall
Network Layout Reference Guide
is to help
LAN-to-LAN
LAN-to-LAN
LAN-to-LAN LAN-to-LAN Scenarios
Scenarios
ScenariosScenarios
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 1
In parallel with a firewall and no NAT
In parallel with a firewall with NAT
Behind a firewa ll (one-arm ed ) th at ma y or may not use NAT
Behind a firewall (inline) that may or may not use NAT
VPN device as a firewall (may or may not use NAT)
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
Client Scenarios
Client Scenarios
Client ScenariosClient Scenarios
If you are using the VPN device with the HP SA3000 Series VPN Client, skim the following scenarios and find the ones most similar to your network configuration . Then, use the corresponding table of configuration parameters as a guideline when configuring your VPN device and VPN Client.
If you are using the VPN device in LAN-to-LAN configurations, skip to the next section “LAN-to-LAN Scenarios.”
One-Ar me d
One-Ar me d
One-Ar me d One-Ar me d Router
Router
Router Router Configuration
Configuration
Configuration Configuration With No
With No
With No With No Firewall
Firewall
Firewall Firewall
This scenario s ho ws the following:
One-armed configuration uses only one of the VPN device’s two interfaces.
Firewall is not enabled.
The VPN device (VPND) acts as a VPN server.
Internal
Network
Desktop System
Internet
Connection
VPN Client
Direct
Dial
Figure: One-Armed Configuration With No Firewall
Figure: One-Armed Configuration With No Firewall
Figure: One-Armed Configuration With No FirewallFigure: One-Armed Configuration With No Firewall
Configuring a One- Ar m ed R outer Conf i g urat i on
Configuring a One- Ar m ed R outer Conf i g urat i on
Configuring a One- Ar m ed R outer Conf i g urat i on Configuring a One- Ar m ed R outer Conf i g urat i on
Internet
PSTN
Router
Router or Remote
Access Server
Router Mode
VPND
No Firewall
Functions
E0
Desktop
System
Laser Printer
When setting up a VPN device, you must configure many global configuration set tings. You configure the VPN device through the HP SA3000 Series VPN Manager or command shell.
2 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
Client Scen ar io s
To set up a one-armed router configuration, use the configuration parameters in the following table. Note that the values of these parameters are examples only; you must enter values specific to your network.
ne-Armed Rout er Con figu rati on Paramet ers
Table:
Tabl e : O
Table:Table:
NAT by Router
NAT by Router No NAT
NAT by RouterNAT by Router
ne-Armed Rout er Con figu rati on Paramet ers
O
ne-Armed Rout er Con figu rati on Paramet ersne-Armed Rout er Con figu rati on Paramet ers
O O
No NAT
No NATNo NAT
Interface E0: IP: 10.250.128.2 255.255.255.0 Mode: Red
Interface E1: (not used for one-armed) IP: NA Mode: NA
Configuration file entries/ routing info: security profile remote user remote tunnel johndoe security-profile remote user client-ip 10.250.128.2
255.255.255.255 HP SA3000 Series VPN Client
IP: 10.250.128.3 Subnet: 10.250.128.0 (net-
include) ISP IP: 209.29.128.50 ISP IP: 209.29.128.50
Interface E0: IP: 205.25.128.2 255.255.255.0 Mode: Red
Interface E1: (not used for one­armed) IP: NA Mode: NA
Configuration file entries/routing info: security profile remote user remote tunnel johndoe security-profile remote user ip route 209.29.128.50
255.255.255.255 john doe
VPN Client IP: Uses ISP IP (no client IP)
Subnet: 205.25.128.0 (net-include)
Inline Router
Inline Router
Inline Router Inline Router Configuration
Configuration
ConfigurationConfiguration
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
In this scenario, VP N C lient traffic is handled either through a router (inline) or by directly dialing into the public-switched telephone network (PSTN).
For inlin e router configurations: — The router accepts all incoming client traffic then trans-
fers the traffic to the VPN device.
3
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
— The VPN device then transfers the traffic on to the local
network to which it is attached. The VPN device may or may not perform firewall functions on the traffic.
For direct dial into the PSTN: — T raffic may go throu gh a router or remote access serve r,
which may or may not perform NAT.
— The traffic then goes through the VPN device, which
may or may not perform firewall functions on the traffic.
Internal
Network
Internet Connection
VPN Client
Direct Dial
Configuring an Inl ine Rou ter Conf igura tion
Configuring an Inl ine Rou ter Conf igura tion
Configuring an Inl ine Rou ter Conf igura tion Configuring an Inl ine Router Co nfig urati on
When setting up a VPN device, you must configure many global configuration set tings. You configure the VPN device through the VPN Manager or command shell.
To set up an inline router configuration, use the configuration parameters in the following table. Note that the values of these parameters a re examp les only ; you must enter values s pecific to your netw or k.
Router Mode
Internet
Router
PSTN
Figure: Inline Router Configuration
Figure: Inline Router Configuration
Figure: Inline Router ConfigurationFigure: Inline Router Configuration
Router or Remote Access Server May/May Not NAT
E1
VPND
With/Without
Firewall
Functions
Desktop
System
E0
Laser Printer
File Server
4 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
Inline Route r Confi gurati on Para mete rs
Table:
Table:
Table:Table:
NAT by Router
NAT by Router No NAT
NAT by RouterNAT by Router
Inline Route r Confi gurati on Para mete rs
Inline Route r Confi gurati on Para mete rsInline Route r Confi gurati on Para mete rs
No NAT
No NATNo NAT
Client Scen ar io s
Interface E0: IP: 10.250.128.2 255.255.255.0 Mode: Red
Interface E1: IP: 192.168.10.2 255.255.255.0 Mode: Red
Configuration file entries/ routing info: security profile remote user remote tunnel johndoe security-profile remote user client-ip 10.250.128.3
255.255.255.255 VPN Client IP: 10.250.128.3 VPN Client IP: Uses ISP IP (no
Subnet: 10.250.128.0 (net­include)
ISP IP: 209.29.128.50 ISP IP: 209.29.128.50
Interface E0: IP: 205.25.128.2 255.255.255.0 Mode: Red
Interface E1: IP: 210.35.129.2 255.255.255.0 Mode: Red
Configuration file entries/routing info: security profile remote user remote tunnel johndoe security-profile remote user ip route 209.29.128.50
255.255.255.255 john doe
client IP) Subnet: 205.25.128.0 (net-include)
In Parallel With
In Parallel With
In Parallel With In Parallel With Firewall
Firewall
Firewall Firewall (Extranet or
(Extranet or
(Extranet or (Extranet or Intranet)
Intranet)
Intranet)Intranet)
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
In this scenario, VP N C lient traffic is handled either through a router (inline) or by directly dialing in to the PSTN. In addition, there is a third-party firewall on the network handling firewall functionality.
For inlin e router configurations: — The router accepts all incoming client traffic, then trans-
fers the traffic to the VPN device.
— The VPN device then transfers the traffic to the local
network to which it is attached.
— The VPN device is in router mode and does not perform
firewall functi on s.
5
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
— Traffic is then handed to the third-party firewall, which
performs firewall functions before handing the traffic onto the local network .
For direct dial into the PSTN: — T raffic may go throu gh a router or remote access serve r,
which may or may not perform NAT.
— The traffic then goes through the VPN device (VPND),
which passes the traffic to the local network.
— The third-party firewall then performs firewall functions
on the traffic before passing it to the local network.
Internet
Connection
VPN Client
Internal Network B (directly connected to Internet)
Internet
Router
Router
PSTN
Direct Dial
Configuring an In Parallel With Firewall Configuration
Configuring an In Parallel With Firewall Configuration
Configuring an In Parallel With Firewall Configuration Configuring an In Parallel With Firewall Configuration
Remote Access Server
Figure: In Parallel With Firewall
Figure: In Parallel With Firewall
Figure: In Parallel With FirewallFigure: In Parallel With Firewall
May/May Not NAT
E1 E0
VPND
Network A
Firewall
Router
Mode
Internal
Desktop System
Laser Printer
File Server
When setting up a VPN device, you must configure many global configuration set tings. You configure the VPN device through the VPN Manager or command shell.
To set up an in parallel with firewall configuration, use the configuration parameters in the following table. Note that the values of these parameters are examples only; you must enter values specific to your network.
6 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
Loading...
+ 25 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use