User's Manual Part 4
VPN Page 31
Apply NAT and Firewall Rules - This feature allows a remote site’s LAN subnet to be hidden from
the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate
office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of
the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the
outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound
packets when they are received. By using NAT for a VPN connection, computers on the remote LAN
are viewed as one address (the SonicWALL public address) from the corporate LAN. If the
SonicWALL uses the Transparent Mode network configuration, using this check box applies the
firewall access rules and checks for attacks, but not does not apply NAT.
Forward Packets to Remote VPNs - allows the remote VPN tunnel to participate in the SonicWALL
routing table. Inbound traffic is decrypted and can be forwarded to a remote site via another VPN
tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific
route on the LAN configured on the Routing page located in the Network section. Enabling this feature
allows a network administrator to create a “hub and spoke” network configuration by forwarding
inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network,
select the Forward Packets to Remote VPNs check box. Traffic can travel from a branch office to a
branch office via the corporate office.
Default LAN Gateway - used at a central site in conjunction with a remote site using the Route all
Internet traffic through this SA check box. Default LAN Gateway allows the network administrator to
specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming
packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL.
Since packets can have any IP address destination, it is impossible to configure enough static routes
to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for
the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN
Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
VPN Terminated at the LAN, DMZ/OPT, or LAN/DMZ/OPT - Selecting this option allows you to
terminate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on
the entire SonicWALL network. By terminating the VPN tunnel to a specific destination, the VPN
tunnel has access to a specific portion of the destination LAN or DMZ/OPT network.
Require Authentication of VPN Clients via XAUTH - requires that all inbound traffic on this SA is
from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Client
10. Click on the Client tab and select any of the following boxes that you want to apply to Global VPN
Client provisioning:
Cache XAUTH User Name and Password - Allows Global VPN Client to cache any username and
password required for XAUTH user authentication. The drop-down list provides the following options:
Never - Global VPN Client is not allowed to cache username and password. The user will be
prompted for a username and password when the connection is enabled and also every time
there is an IKE phase 1 rekey.
Single Session - The user will be prompted for username and password each time the
connection is enabled and will be valid until the connection is disabled. This username and
password is used through IKE phase 1 rekey.
Always - The user will be prompted for username and password only once when connection is
enabled. When prompted, the user will be given the option of caching the username and
password.
Client Connections
Allow Traffic to - Specifies single or multiple VPN connections. The drop-down list provides the
following options: