ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajavpnnatex.htm

108 lines
7.8 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Use network address translation for VPN" />
<meta name="abstract" content="In this scenario, your company wants to exchange sensitive data with one of it's business partners by using VPN. To further protect the privacy of your company's network structure, your company will also use VPN NAT to hide the private IP address of the system it uses to host the applications to which your business partner has access." />
<meta name="description" content="In this scenario, your company wants to exchange sensitive data with one of it's business partners by using VPN. To further protect the privacy of your company's network structure, your company will also use VPN NAT to hide the private IP address of the system it uses to host the applications to which your business partner has access." />
<meta name="DC.Relation" scheme="URI" content="rzajascenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajavpnnat.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajavpnnatex.dita" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Use network address translation for VPN</title>
</head>
<body id="rzajavpnnatex.dita"><a name="rzajavpnnatex.dita"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Use network address translation for VPN</h1>
<div><p>In this scenario, your company wants to exchange sensitive data
with one of it's business partners by using VPN. To further protect the privacy
of your company's network structure, your company will also use VPN NAT to
hide the private IP address of the system it uses to host the applications
to which your business partner has access.</p>
<div class="section" id="rzajavpnnatex.dita__situation"><a name="rzajavpnnatex.dita__situation"><!-- --></a><h4 class="sectionscenariobar">Situation</h4><p>Suppose
you are the network administrator for a small manufacturing company in Minneapolis.
One of your business partners, a parts supplier in Chicago, wants to starting
doing more of their business with your company over the Internet. It is critical
that your company have the specific parts and quantities at the exact time
it needs them, so the supplier needs to be aware of your company's inventory
status and production schedules. Currently you handle this interaction manually,
but you find it time consuming, expensive and even inaccurate at times, so
you are more than willing to investigate your options.</p>
<p>Given the confidentiality
and time-sensitive nature of the information you exchange, you decide to create
a VPN between your supplier's network and your company's network. To further
protect the privacy of your company's network structure, you decide you will
need to hide the private IP address of the system that hosts the applications
to which the supplier has access.</p>
<p>You can use VPN's to not only create
the connection definitions on the VPN gateway in your company's network, but
also to provide the address translation you need to hide your local private
addresses. Unlike conventional network address translation (NAT), which changes
the IP addresses in the security associations (SAs) that VPN requires to function,
VPN NAT performs address translation before the SA validation by assigning
an address to the connection when the connection starts.</p>
</div>
<div class="section" id="rzajavpnnatex.dita__objective"><a name="rzajavpnnatex.dita__objective"><!-- --></a><h4 class="sectionscenariobar">Objectives</h4><p>The
objectives of this scenario are to:</p>
<ul><li>allow all clients in the supplier network to access a single host system
in the manufacturer's network over a gateway-to-gateway VPN connection.</li>
<li>hide the private IP address of the host system in the manufacturer's network,
by translating it to a public IP address by using network address
translation for VPN (VPN NAT).</li>
</ul>
</div>
<div class="section" id="rzajavpnnatex.dita__details"><a name="rzajavpnnatex.dita__details"><!-- --></a><h4 class="sectionscenariobar">Details</h4><p>The
following diagram illustrates the network characteristics of both the supplier
network and the manufacturing network:</p>
<br /><img src="rzaja517.gif" alt="Diagram that shows IP traffic flowing from a client in a supplier network, through its VPN gateway, across the Internet to the manufacturer's VPN gateway where the public destination address of the packet is translated to its actual private IP address." /><br /><ul><li>VPN gateway-A is configured to always initiate connections to VPN gateway-B.</li>
<li>VPN gateway-A defines the destination endpoint for the connection as 204.146.18.252
(the public address assigned to iSeries-C).</li>
<li>iSeries-C has a private IP address in the manufacturer's network of 10.6.100.1.</li>
<li>A public address of 204.146.18.252 has been defined in the local service
pool on VPN gateway-B for iSeries-C's private address, 10.6.100.1.</li>
<li>VPN gateway-B translates iSeries-C's public address to its private address,
10.6.100.1, for inbound datagrams. VPN gateway-B translates returning, outbound,
datagrams from 10.6.100.1 back to iSeries-C's public address, 204.146.18.252.
As far as clients in the supplier network are concerned, iSeries-C has an
IP address of 204.146.18.252. They will never be aware that address translation
has occurred.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Configuration tasks</h4><p>You
must complete each of the following tasks to configure the connection described
in this scenario:</p>
<ol><li>Configure a basic gateway-to-gateway VPN between <span class="uicontrol">VPN gateway-A</span> and <span class="uicontrol">VPN
gateway-B</span>.</li>
<li>Define a local service pool on <span class="uicontrol">VPN gateway-B</span> to
hide <span class="uicontrol">iSeries-C</span>'s private address behind the public
identifier, 204.146.18.252.</li>
<li>Configure <span class="uicontrol">VPN gateway-B</span> to translate local addresses
using local service pool addresses.</li>
</ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajascenarios.htm" title="Review these scenarios to become familiar with the technical and configuration details involved with each of these basic connection types.">VPN scenarios</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajavpnnat.htm" title="VPN provides a means for performing network address translation, called VPN NAT. VPN NAT differs from traditional NAT in that it translates addresses before applying the IKE and IPSec protocols. Refer to this topic to learn more.">Network address translation for VPN</a></div>
</div>
</div>
</body>
</html>