Chapter 33 IPSec VPN
ZyWALL Series CLI Reference Guide
282
[no] policy-enforcement
Drops traffic whose source and destination IP addresses
do not match the local and remote policy. This makes
the IPSec SA more secure. The
no command allows
traffic whose source and destination IP addresses do
not match the local and remote policy.
Note: You must allow traffic whose source and
destination IP addresses do not match the
local and remote policy, if you want to use
the IPSec SA in a VPN concentrator.
[no] nail-up
Automatically re-negotiates the SA as needed. The no
command does not.
[no] replay-detection
Enables replay detection. The no command disables it.
[no] netbios-broadcast
Enables NetBIOS broadcasts through the IPSec SA. The
no command disables NetBIOS broadcasts through the
IPSec SA.
[no] out-snat activate
Enables out-bound traffic SNAT over IPSec. The no
command disables out-bound traffic SNAT over IPSec.
out-snat source address_name
destination address_name snat
address_name
Configures out-bound traffic SNAT in the IPSec SA.
[no] in-snat activate
Enables in-bound traffic SNAT in the IPSec SA. The no
command disables in-bound traffic SNAT in the IPSec
SA.
in-snat source address_name
destination address_name snat
address_name
Configures in-bound traffic SNAT in the IPSec SA.
[no] in-dnat activate
Enables in-bound traffic DNAT in the IPSec SA. The no
command disables in-bound traffic DNAT in the IPSec
SA.
in-dnat delete <1..10>
Deletes the specified rule for in-bound traffic DNAT in
the specified IPSec SA.
in-dnat move <1..10> to <1..10>
Moves the specified rule (first rule number) to the
specified location (second rule number) for in-bound
traffic DNAT.
in-dnat append protocol {all | tcp |
udp} original-ip address_name
<0..65535> <0..65535> mapped-ip
address_name <0..65535> <0..65535>
Maps the specified IP address and port range (original-
ip) to the specified IP address and port range
(mapped-ip) and appends this rule to the end of the
rule list for in-bound traffic DNAT.
in-dnat insert <1..10> protocol {all
| tcp | udp} original-ip address_name
<0..65535> <0..65535> mapped-ip
address_name <0..65535> <0..65535>
Maps the specified IP address and port range (original-
ip) to the specified IP address and port range
(mapped-ip) and inserts this rule before the specified
rule.
in-dnat <1..10> protocol {all | tcp |
udp} original-ip address_name
<0..65535> <0..65535> mapped-ip
address_name <0..65535> <0..65535>
Creates or revises the specified rule and maps the
specified IP address and port range (original-ip) to the
specified IP address and port range (mapped-ip).
[no] configuration-payload-provide
activate
Enables configuration payload in server role. The no
command disables it.
configuration-payload-provide
address- {}
Sets configuration payload address . The no command
disables it
Table 148 crypto Commands: IPSec SAs (continued)
COMMAND DESCRIPTION
To Next Page
Loading...
