Gryzn
asked on
How to route multiple identical networks thru one router (VPN)
I need to solve the following problem:
Customer Site (192.168.1.x) --> Router IP 123.123.123.123 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site (10.10.10.x)
Now I have to clone the hole network multiple times (all sites keep its IP net), AND using the same external IP (1.1.1.1) of the central site to establish the VPN tunnel, BUT all networks (A,B,C) must stay isolated from each other.
Customer Site A (192.168.1.x) --> Router IP 123.123.123.123 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site A (10.10.10.x)
Customer Site B (192.168.1.x) --> Router IP 166.166.166.166 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site B (10.10.10.x)
Customer Site C (192.168.1.x) --> Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site C (10.10.10.x)
Since I have only one external IP address (1.1.1.1), I obviously need an option to bind each tunnel to a LAN port on the router to isolate the networks.
I don't know, if this is even possible or not.
Customer Site (192.168.1.x) --> Router IP 123.123.123.123 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site (10.10.10.x)
Now I have to clone the hole network multiple times (all sites keep its IP net), AND using the same external IP (1.1.1.1) of the central site to establish the VPN tunnel, BUT all networks (A,B,C) must stay isolated from each other.
Customer Site A (192.168.1.x) --> Router IP 123.123.123.123 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site A (10.10.10.x)
Customer Site B (192.168.1.x) --> Router IP 166.166.166.166 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site B (10.10.10.x)
Customer Site C (192.168.1.x) --> Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site C (10.10.10.x)
Since I have only one external IP address (1.1.1.1), I obviously need an option to bind each tunnel to a LAN port on the router to isolate the networks.
I don't know, if this is even possible or not.
You need to NAT the Customer Sites to a different net. Say, like this:
Customer Site A (192.168.1.x)--172.16.1.0/ 24
Customer Site B (192.168.1.x)--172.16.2.0/ 24
Customer Site C (192.168.1.x)--172.16.3.0/ 24
Then, you have tunnels set up to your central site. In your central site network core, you could have a summary route for your customer NATs - 172.16.0.0/16 send it to your VPN box.
Customer Site A (192.168.1.x)--172.16.1.0/
Customer Site B (192.168.1.x)--172.16.2.0/
Customer Site C (192.168.1.x)--172.16.3.0/
Then, you have tunnels set up to your central site. In your central site network core, you could have a summary route for your customer NATs - 172.16.0.0/16 send it to your VPN box.
ASKER
@davidcooper1967
Currently some Zywall's, Symmatec Appliances and so on...
@pseudocyber
do you mean: ?
Customer Site A (192.168.1.x) --> NATING to 172.16.1.0/24 -->Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site A (10.10.10.x)
Customer Site B (192.168.1.x) --> NATING to 172.16.2.0/24 -->Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site B (10.10.10.x)
Customer Site C (192.168.1.x) --> NATING to 172.16.3.0/24 -->Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site C (10.10.10.x)
???
So I need two routers at customers side? But there is still no isolation on the central site...
Currently some Zywall's, Symmatec Appliances and so on...
@pseudocyber
do you mean: ?
Customer Site A (192.168.1.x) --> NATING to 172.16.1.0/24 -->Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site A (10.10.10.x)
Customer Site B (192.168.1.x) --> NATING to 172.16.2.0/24 -->Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site B (10.10.10.x)
Customer Site C (192.168.1.x) --> NATING to 172.16.3.0/24 -->Router IP 231.231.231.231 --> VPN Tunnel --> Router IP 1.1.1.1 --> Central Site C (10.10.10.x)
???
So I need two routers at customers side? But there is still no isolation on the central site...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the point. I cannot isolate it, because the router (on central site) has only ONE IP internaly (10.10.10.1), which is the gateway for (A,B and C) ...
I need a dedicated VPN Tunnel to LAN Port assignment or a way to simulate it some how.
I need a dedicated VPN Tunnel to LAN Port assignment or a way to simulate it some how.
ASKER
Even if it seems to be possible by using a mutliple gateway router in combination with a layer3 switch...
Seems too complicated to to realize it.
Seems too complicated to to realize it.
What type of devices are at the remotes?
DC