Filter
Top Products
VPN > Settings
911
SonicOS 5.8.1 Administrator Guide
are addresses using address spaces that can easily be supernetted. For example, assume we
wanted to provide access to/from the LAN and DMZ at the hub site to one subnet at each of
2,000 remote sites, addressed as follows:
remoteSubnet0=Network 10.0.0.0/24 (mask 255.255.255.0, range 10.0.0.0-10.0.0.255)
remoteSubnet1=Network 10.0.1.0/24 (mask 255.255
.255.0, range 10.0.1.0-10.0.1.255)
remoteSubnet2=Network 10.0.2.0/24 (mask 255.255
.255.0, range 10.0.2.0-10.0.2.255)
remoteSubnet2000=10.7.207.0/24 (mask 255.255.255.0, range
10.7.207.0-10.7.207.255)
Creating VPN Policies for each of these
remote sites would result in the requisite 2,000 VPN
Policies, but would also create 8,000 Access Rules (LAN -> VPN, DMZ -> VPN, VPN -> LAN,
and VPN -> DMZ for each site). However, all of these Access Rules could easily be handled
with just 4 Access Rules to a supernetted or address range representation of the remote sites
(More specific allow or deny Access Rules could be added as needed):
remoteSubnetAll=Network 10.0.0.0/13 (mask 255.248.0.0,
range 10.0.0.0-10.7.255.255)
or
remoteRangeAll=Range 10.0.0.0-10.7.207.255
To enable this level of aggregation, the Ad
vanced tab of the VPN Policy window page offers
the option to Auto-Add Access Rules for VPN Policy setting. By default, the checkbox is
selected, meaning the accompanying Access Rules will be automatically created, as they've
always been. By deselecting the checkbox upon creating the VPN Policy, the administrator will
have the ability and need to create custom Access Rules for VPN traffic.