Manage VPN client addresses in configuration 3

VPN clients cannot use their local IP address in the internal corporate network. In this scenario, NAT is used to solve this problem.

This address management method allows connection opening from the VPN client end only. This method is simpler to set up for testing, as it does not require an external DHCP server. However, this method has some restrictions:

  • It does not allow connections to be opened from hosts in the internal network to VPN clients.
  • It prevents the Stonesoft VPN Client from using internal DNS servers.

You might want to change the IP address allocation method to Virtual IP after you have tested the basic VPN connectivity with the configuration explained here.

This basic configuration scenario does not explain all settings related to VPN client address management.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the firewall element, then select Edit Single Firewall or Edit Firewall Cluster.
  2. In the navigation pane on the left, browse to VPN > Advanced.
  3. Select Translate IP Addresses Using NAT Pool.
  4. Enter the IP Address Range of addresses and the Port Range you want to use for translating VPN client traffic.
    The VPN clients use these IP addresses when they connect to services in your internal network. Make sure that these IP addresses are not used elsewhere in your network. The translation is dynamic, so the number of IP addresses you enter does not need to correspond to the number of clients connecting. Typically, each connection a VPN client user opens to a resource reserves one port from whichever IP address has unreserved ports within the configured range. The reverse NAT for the reply packets is done automatically.
  5. Click Save.

Engine Editor – VPN – Advanced

Use this branch to change advanced VPN settings.

Option Definition
Gateway Settings The Gateway Settings element that defines performance-related VPN options.
TCP Tunneling Port Port used for tunneling Stonesoft VPN Client connections inside TCP connections to bypass intermediary traffic filters and NAT devices.
Translate IP Addresses Using NAT Pool When selected, the specified IP address range and port range are used for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
IP Address Range IP address range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
Port Range Port range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.