Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
571572573574575576577578579580
7-126
Virtual Private Networks
Configure Firewall Access Policies for Your VPN
11. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic
somewhere between the remote endpoints and the module), you must
create two access policies to allow the NAT-T traffic:
a. Verify that for User Group, None is selected.
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.
d. For Service, select ipsec-nat-t-udp.
e. For Source, specify Any Address.
If you know the public addresses of all of your remote endpoints, you
could create a named object with those addresses and specify that
object here.
f. For Destination, leave Any Address or specify the local gateway IP
address.
g. Click Apply.
h. For From, select Self.
i. For To, select the remote zone.
j. For Service, select ipsec-nat-t-udp.
k. For Source, leave Any Address or specify the local gateway IP address.
l. For Destination, specify Any Address.
If you know the public addresses of all of your remote endpoints, you
could create a named object with those addresses and specify that
object here.
m. Click Apply.
12. Click Close.
Access Policies for a GRE Tunnel
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote tunnel gateway arrives. This is the zone associ-
ated with the TMS VLAN on which the tunnel’s local IP address is configured.
The instructions below will refer to this zone as the “remote zone.”
Also, determine the zone that you configured for the tunnel’s Firewall Zone
Association setting. The instructions below will refer to this zone as the “tunnel
zone.”