Allowing IPsec Remote VPN Clients to Access the
Internet
Enabling Client Internet Access will automatically
create advanced NAT rules to allow remote VPN clients to access the Internet
over the VPN tunnels. This section provides an example on manually configuring
advanced NAT rules to allow remote VPN clients to access the Internet
over the VPN tunnels.
1. Assuming
that you enable the IPsec Remote Access feature and create a group policy
as follows:
Field
|
Setting
|
Group Name
|
VPNGroup1
|
WAN Interface
|
WAN1
|
IKE Authentication Method
|
Pre-shared key
|
Mode
|
Client
|
Pool Range for Client LAN
|
Start IP: 192.168.3.2
End IP: 192.168.3.254
|
Client Internet Access
|
Disable
|
WAN Failover
|
On
|
NOTE: An address
object with the range 192.168.3.2 to 192.168.3.254 called “EZVPN_VPNGroup1”
will be automatically created.
2. If
only a single WAN interface is configured, go to the Firewall > NAT
> Advanced NAT page to create an advanced NAT rule as follows.
Field
|
Setting
|
Name
|
VPNClient_to_WAN1
|
Enable
|
On
|
From
|
Any
|
To
|
WAN1
|
Original Source Address
|
EZVPN_VPNGroup1
|
Original Destination Address
|
Any
|
Original Services
|
Any
|
Translated Source Address
|
WAN1_IP
|
Translated Destination Address
|
Any
|
Translated Services
|
Any
|
3. If
two WAN interfaces are configured, go to the Firewall > NAT > Advanced
NAT page to create two advanced NAT rules as follows.
Field
|
Setting
|
Name
|
VPNClient_to_WAN1
|
Enable
|
On
|
From
|
Any
|
To
|
WAN1
|
Original Source Address
|
EZVPN_VPNGroup1
|
Original Destination Address
|
Any
|
Original Services
|
Any
|
Translated Source Address
|
WAN1_IP
|
Translated Destination Address
|
Any
|
Translated Services
|
Any
|
Field
|
Setting
|
Name
|
VPNClient_to_WAN2
|
Enable
|
On
|
From
|
Any
|
To
|
WAN2
|
Original Source Address
|
EZVPN_VPNGroup1
|
Original Destination Address
|
Any
|
Original Services
|
Any
|
Translated Source Address
|
WAN2_IP
|
Translated Destination Address
|
Any
|
Translated Services
|
Any
|