Example VPN configuration 2: define a site for the external VPN gateway

The External VPN Gateway element needs a Site element.

Before you begin

You must have created an External VPN Gateway element for configuration 2. The External VPN Gateway Properties dialog box should still be open.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. On the Sites tab of the External VPN Gateway Properties dialog box, double-click the new Site element on the right.
  2. (Optional) In the Name field, enter a descriptive name for the site.
  3. Select or create the elements that represent the protected IP addresses behind the Gateway in the left pane, then click Add to include them.
    The internal IP address used as the source or destination address must be included in the site of the Gateway. Other traffic cannot use the VPN.
  4. Click OK in both open dialog boxes.

Next steps

Create a VPN Profile element.

VPN Site Properties dialog box

Use this dialog box to view or edit the properties a VPN site.

Option Definition
General tab
Name The name of the element.
Comment An optional comment for your own reference.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New This option is not available in this dialog box.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the view.
VPN References tab
VPN Shows the VPNs where this site is used.
Enable When selected, the site is enabled in the specified VPN.
Mode Defines the mode for the Site for each VPN in which it is enabled.
  • Normal — Use this mode for all active Site elements that do not require one of the other two modes.
  • Private — (VPN Gateways on NGFW Engines only) Use this mode for the local untranslated addresses when addresses are translated using NAT in the VPN. You must include the translated IP addresses (the addresses that the other end sees) as a Normal-mode Site element in these types of VPNs. If NAT is disabled in the VPN, any Sites in the Private mode are ignored.
  • Hub — Use this mode on a hub gateway in tunnel-to-tunnel forwarding. Hub mode Sites contain the IP addresses of the networks that are behind the remote spoke gateways (the networks between which the hub gateway forwards traffic). The automatically generated Site cannot be used as a Hub Site.