HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout Reference Guide
Client Scenarios
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide
11
Behind a
Behind a Behind a
Behind a
Firewall With or
Firewall With or Firewall With or
Firewall With or
Without NAT
Without NAT Without NAT
Without NAT
(One-Armed)
(One-Armed)(One-Armed)
(One-Armed)
In this scenario, VPN Client traffic is handled either through a
router (inline) or by directly dialing in to the PSTN. The traffic
passes through a third-party firewall before passing through the
VPN device.
• For inline router configurations:
— The router accepts all incoming client traffic, then trans-
fers the traffic to the third-party firewall.
— The third-party firewall performs firewall functionality
on the traffic before passing it to the VPN device.
— The VPN device takes the encrypted traffic and decrypts
it before passing it to the local network.
• For direct dial into the PSTN:
— Traffic may go through a router or remote access server,
which may or may not perform NAT.
— The traffic then goes through a third-party firewall. The
third- party firewall performs firewall functionality on
the traffic before passing it to the VPN device.
— The VPN device then decrypts the encrypted VPN traffic
and passes it to the local network.
Configuration file entries/
routing info:
security profile remote user
remote tunnel johndoe
security-profile remote
user
client-ip 10.250.128.3
255.255.255.255
Configuration file entries/routing
info:
security profile remote user
remote tunnel johndoe
security-profile remote user
ip route 209.29.128.50
255.255.255.255 johndoe
VPN Client IP: 10.250.128.3 VPN Client IP: Uses ISP IP (no
client IP)
Subnet: 10.250.128.0 (net-
include)
Subnet: 205.25.128.0 (net-include)
ISP IP: 209.29.128.50 ISP IP: 209.29.128.50
VPN Device (NAT by Router)
VPN Device (NAT by Router)VPN Device (NAT by Router)
VPN Device (NAT by Router) VPN Device (No NAT)
VPN Device (No NAT)VPN Device (No NAT)
VPN Device (No NAT)