HP Sa3110 HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R
HP Sa3110 - VPN Server Appliance Manual
 |
View all HP Sa3110 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP Sa3110 manual content summary:
- HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 1
hewlett-packard vpn server appliance sa3110/sa3150/ sa3400/sa3450 network layout reference guide Hewlett-Packard Company HP: 5971-0873 P/N: A55307-001 March 2001 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 2
ii - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 3
. This Hewlett-Packard VPN Server Appliance SA3110/SA3150/ SA3400/SA3450 Network Layout Reference Guide , as well as the software described in it is furnished under license and may only be used or copied in accordance with the terms of the license. The information in this manual is furnished for - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 4
iv - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 5
Contents HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide Network Layout Reference Guide 1 Client Scenarios 1 LAN-to-LAN Scenarios 1 Client Scenarios 2 One-Armed Router Configuration With No Firewall 2 Inline Router Configuration 3 In Parallel With Firewall ( - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 6
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 1 Network Layout Reference Guide The purpose of this Network Layout Reference Guide is to help you install the HP VPN Server Appliance SA3110/SA3150/ SA3400/SA3450 in your network. The term VPN device is used in - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 7
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide Client Scenarios If you are using the VPN device with the HP SA3000 Series VPN Client, skim the following scenarios and find the ones most similar to your network configuration. Then, use the corresponding table of - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 8
profile remote user ip route 209.29.128.50 255.255.255.255 john doe HP SA3000 Series VPN Client VPN Client IP: Uses ISP IP (no IP: 10.250.128.3 client IP) transfers the traffic to the VPN device. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 3 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 9
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide - The VPN device then transfers the traffic on to the local network to which it is attached. The VPN device may or may not perform firewall functions on the traffic. • For direct dial into the PSTN: - Traffic may go - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 10
scenario, VPN Client VPN device. - The VPN device then transfers the traffic to the local network to which it is attached. - The VPN device is in router mode and does not perform firewall functions. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 11
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide - Traffic is then handed to the third-party Access Server VPND Router Mode Laser Printer File Server Figure: In Parallel With Firewall Configuring an In Parallel With Firewall Configuration When setting up a VPN - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 12
it is attached. - The VPN device may or may not perform firewall functions on the traffic. - The bridge is installed on the internal side of the network with minimal changes to the network topology. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 7 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 13
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide • For direct dial into the PSTN: - Traffic may go through a router or remote access server, which may or may not perform network address translation. - The traffic then goes through the VPN device, which is set to - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 14
to router mode. • The VPN device may or may not perform firewall functions on the traffic. • The VPN Client has no means to perform direct dial to the local network; it must go through a VPN tunnel. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 9 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 15
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide Internet Connection VPN Client Internet Internal Network Router Mode E1 E0 VPND With/Without Firewall Functions Desktop System Laser Printer Router or Remote Access Server No Direct Dial File Server Figure: - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 16
third- party firewall performs firewall functionality on the traffic before passing it to the VPN device. - The VPN device then decrypts the encrypted VPN traffic and passes it to the local network. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 11 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 17
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide Internal Network A Internal Network B (directly connected to Internet) Desktop System Internet Connection Internet Router May/May Not NAT May/May Not NAT Desktop System Firewall - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 18
decrypts the encrypted VPN traffic and passes it to the local network. • For direct dial into the PSTN: - Traffic may go through a router or remote access server, which may or may not perform NAT. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 13 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 19
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide - The traffic then goes through the third-party firewall, which also may or may not perform NAT before being handed to the VPN device. - The VPN device then decrypts the encrypted VPN traffic and passes it to the - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 20
: - The router accepts all incoming client traffic, then transfers the traffic to the VPN device. - The third-party firewall may or may not perform NAT before passing the traffic to the VPN device. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 15 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 21
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide - The VPN device then performs firewall functionality on the traffic and passes it to the local network. - The VPN device may or may not perform NAT. • For direct dial into the PSTN: - Traffic may go through a router - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 22
.255 johndoe VPN Client IP: 10.250.128.3 VPN Client IP: Uses ISP IP (no client IP) Subnet: 10.250.128.0 (netinclude) Subnet: 205.25.128.0 (net-include) ISP IP: 209.29.128.50 ISP IP: 209.29.128.50 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 17 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 23
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide LAN-to-LAN Scenarios In Parallel With a Firewall (Without NAT) This scenario shows the following: • A LAN-to-LAN connection between two VPN devices with no NAT. • Each VPN device is attached to a router. The routers - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 24
Each VPN device is attached to a router. The routers connect through the Internet and perform NAT. • Traffic travels from one local network, through the LAN-toLAN connection, to the other local network. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 25
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide • Traffic passes through the VPN device, which is in router mode. • The VPN device passes the VPN traffic to the third-party firewall (in parallel with the VPN Mode Laser Printer Laser Printer File Server Figure: In - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 26
, then passes the traffic to the VPN device. • The VPN device decrypts the encrypted VPN traffic and passes it to the local network. Note: You must add a route to the firewall for the network that Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 21 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 27
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide is in front of VPN device B (which routes to the VPN device B NAT Firewall E0 Desktop System VPND B Router Mode Laser Printer Laser Printer File Server Figure: Behind a Firewall (One-Armed) Configuring a Behind - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 28
parameters in the following table. Note that the values of these parameters are examples only; you must enter values specific to your network. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 23 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 29
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide Table: Behind a Firewall Without NAT VPN Device A (No NAT) VPN Device B (No NAT) Interface E0: Interface E0: IP: 205.25.128.2 255.255.255.0 IP: 205.25.135.2 255.255.255.0 Mode: Red Mode: Red - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 30
System VPND B Internal Network (directly connected to Internet) Router Mode Laser Printer File Server Figure: Behind a Firewall That May or May Not Use NAT (Inline) specific to your network. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 25 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 31
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide Table: Behind a Firewall wIth NAT (Inline) Configuration Parameters VPN Device A (NAT by Router) VPN Device B (NAT by Router) Interface E0: Interface E0: IP: 10.250.128.2 255.255.255.0 IP: 10.250.128.2 255.255. - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 32
through the VPN device. • The VPN device performs firewall functionality on the traffic and may or may not use NAT. • The VPN device B decrypts the VPN traffic before passing it to the local network. Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 27 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 33
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide Desktop System Desktop System File Server E0 E1 Desktop System Laser Printer Laser Printer File Server Figure: VPN Device as a Firewall Configuring the VPN Device as a Firewall When setting up a VPN device, - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 34
: Red Interface E1: Interface E1: IP: 210.35.129.2 255.255.255.0 IP: 210.35.129.2 255.255.255.0 Mode: Red Mode: Red Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide 29 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 35
HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Network Layout Reference Guide VPN Device A (No NAT) Config file entries/routing info: security-profile site-to-site site-to-site tunnel SanFrancisco security-profile site-to-site route 209. - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 Network Layout R - Page 36
firewall that may or may not use NAT (inline 24 in parallel with a firewall (with NAT). 19 in parallel with a firewall (without NAT) 18 VPN device as a firewall (with or without NAT 27 N NAT (network address translation 1 O one-armed router configuration with no firewall 2 P PSTN (public-switched
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
 |
 |
Hewlett-Packard Company
HP: 5971-0873
P/N: A55307-001
March 2001
hewlett-packard vpn server
appliance sa3110/sa3150/
sa3400/sa3450
network layout reference guide