696| Remote Access Points AOS-W 6.5.3.x| User Guide
Figure 92 Remote AP with a Private Network
n Deployment Scenario 2: The remote AP is on the public network or behind a NAT device and the switch is on
the public network. The remote AP must be configured with the tunnel termination point, which must be a
publicly-routable IP address. In this scenario, a routable interface is configured on the switch in the DMZ.
The remote AP uses the switch’s IP address on the public network to establish the IPSec VPN tunnel.
Figure 93 Remote AP with Switch on Public Network
n Deployment Scenario 3: The remote AP is on the public network or behind a NAT device and the switch is
also behind a NAT device. (This deployment is recommended for remote access.) The remote AP must be
configured with the tunnel termination point, which must be a publicly-routable IP address. In this scenario,
the remote AP uses the public IP address of the corporate firewall. The firewall forwards traffic to an
existing interface on the switch. (The firewall must be configured to pass NAT-T traffic (UDP port 4500) to
the switch.)
Figure 94 Remote AP with Switch Behind Firewall
In any of the described deployment scenarios, the IPSec VPN tunnel can be terminated on a local switch, with a
master switch located elsewhere in the corporate network (Figure 95). The remote AP must be able to
communicate with the master switch after the IPSec tunnel is established. Make sure that the L2TP IP pool
configured on the local switch (from which the remote AP obtains its address) is reachable in the switch
network by the master switch.
To Next Page
Loading...