Policy management, Client mode/pat, Client mode with split tunneling – Cisco VPN 3002 User Manual

Page 119

Advertising
background image

C H A P T E R

11-1

VPN 3002 Hardware Client Reference

OL-1893-01

11

Policy Management

The VPN 3002 works in either of two modes: Client mode or Network Extension mode.

Policy management on the VPN 3002 includes deciding whether you want the VPN 3002 to use Client
Mode or Network Extension mode. This section lets you enable or disable PAT.

Client Mode/PAT

Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the VPN 3002
private network from those on the corporate network. In PAT mode:

IPSec encapsulates all traffic going from the private network of the VPN 3002 to the network(s)
behind the Internet Key Exchange (IKE) peer, that is, the central-site VPN Concentrator.

PAT mode uses NAT (Network Address Translation). NAT translates the network addresses of the
devices connected to the VPN 3002 private interface to the IP address of the VPN 3002 public
interface. The VPN Concentrator assigns this address. NAT also keeps track of these mappings so
that it can forward replies to the correct device.

All traffic from the private network appears on the network behind the IKE peer with a single source IP
address. This IP address is the one the central-site VPN Concentrator assigns to the VPN 3002. The IP
addresses of the computers on the VPN 3002 private network are hidden. You cannot ping or access a
device on the VPN 3002 private network from outside of that private network, or directly from a device
on the private network at the central site.

In client mode, the tunnel establishes when data passes to the VPN Concentrator, or when you click
Connect Now in the Monitoring | System Status screen.

Client Mode with Split Tunneling

You assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split
tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002 to
networks within the network list for that group behind the central-site VPN Concentrator.

Traffic from the VPN 3002 to any destination other than those within the network list for that group on
the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the
network addresses of the devices connected to the VPN 3002 private interface to the assigned IP address
of the public interface and also keeps track of these mappings so that it can forward replies to the correct
device.

Advertising