Filter
Top Products
Chapter 20 IPSec VPN
ZyWALL USG 1000 User’s Guide
301
Policy
Enforcement
Select this if you want the ZyWALL to drop traffic whose source and destination
IP addresses do not match the local and remote policy. This makes the IPSec
SA more secure.
Note: You must clear this field, however, if you want to use the
IPSec SA in a VPN concentrator.
Local Policy Select the address or address group corresponding to the local network. Select
Create Object to configure a new one.
Remote Policy Select the address or address group corresponding to the remote network.
Select Create Object to configure a new one.
Property
Nailed-Up Select this if you want the ZyWALL to automatically renegotiate the IPSec SA
when the SA life time expires.
Enable Replay
Detection
Select this check box to detect and reject old or duplicate packets to protect
against Denial-of-Service attacks.
Enable NetBIOS
Broadcast over
IPSec
Select this check box if you the ZyWALL to send NetBIOS (Network Basic Input/
Output System) packets through the IPSec SA.
NetBIOS packets are TCP or UDP packets that enable a computer to connect
to and communicate with a LAN. It may sometimes be necessary to allow
NetBIOS packets to pass through IPSec SAs in order to allow local computers
to find computers on the remote network and vice versa.
Advanced/Basic Click this button to show or hide the Inbound/Outbound traffic NAT fields.
Inbound/Outbound
traffic NAT
Click the Advanced or Basic button to show or hide this section.
Outbound Traffic
Source NAT This translation hides the source address of computers in the local network. It
may also be necessary if you want the ZyWALL to route packets from
computers outside the local network through the IPSec SA.
Source Select the address object that represents the original source address (or select
Create Object to configure a new one). This is the address object for the
computer or network outside the local network. The size of the original source
address range (Source) must be equal to the size of the translated source
address range (SNAT).
Destination Select the address object that represents the original destination address (or
select Create Object to configure a new one). This is the address object for the
remote network.
SNAT Select the address object that represents the translated source address (or
select Create Object to configure a new one). This is the address object for the
local network. The size of the original source address range (Source) must be
equal to the size of the translated source address range (SNAT).
Inbound Traffic
Source NAT This translation hides the source address of computers in the remote network.
Source Select the address object that represents the original source address (or select
Create Object to configure a new one). This is the address object for the
remote network. The size of the original source address range (Source) must
be equal to the size of the translated source address range (SNAT).
Destination Select the address object that represents the original destination address (or
select Create Object to configure a new one). This is the address object for the
local network.
Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued)
LABEL DESCRIPTION