SonicWall Site to Stite VPN  ( same IP range on both sides ?)

azpete
azpete used Ask the Experts™
on
I have setup a dozen or more SonicWall Site to Site VPNs ( with different subnets on both sides)
 Expert-Exchange  (dosdet2) says that SonicWalls can be set  to use the same subnet range at both sides and they do a translation so you don't have any conflicts with duplicate IPs
Anyone know if this is true ?  Any setup references would be much appreciated.
( We will have SonicWalls NSA 2400s on both sides)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010
Commented:
Yes, it's true. I've done it before and you need the enhanced OS. On the 2400, you should be set. Here is the KB article I use to do that.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7759

Author

Commented:
that looks great. but in their diagram you can have duplicate IPs in site A and Site B ( my company will not have duplicates, but my theoretical question would be how could that be ??  If you have two servers with the same IP at different locations how will the SonicWall know which server you want ???

And I noticed at the bottom  there was a reference to a similar article that uses the "HIDE NAT"
 http://www.sonicwall.com/downloads/VPN_with_Overlapping_Networks.pdf
Any comments on the above ?

A BIG thanks
Top Expert 2010

Commented:
It is confusing. What the VPN does, essentially, is hide the other end of the VPN behind a NAT'ed subnet. The HIDE NAT address object referred in the KB is just that. Let's say that you have 192.168.1.0/24 at both ends. You pick a subnet that you are going to hide the respective subnet behind. So, SiteA get 192.168.96.0/24 and SiteB gets 192.168.97.0/24. If you are at SiteA and you need to reference 192.168.1.1 as a server in SiteB, you don't use 192.168.1.1. You use 192.168.97.1.

When you type 192.168.97.1, your request hits the sonicwall (your gateway) and knows that 192.168.97.0/24 traffic goes over the VPN. On the other end, you configure the remote sonicwall to NAT 192.168.97.0/24 traffic to 192.168.1.0/24. So, your 192.168.97.1 hits the NAT on the VPN policy and changed to 192.168.1.1.

This happens coming the other way when 192.168.1.0/24 hosts at SiteB attempt to access resources on 192.168.1.0/24 at SiteA. They would use 192.168.96.0/24 instead.

Hope that answers your question.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Author

Commented:
Okay, I see that.

 Will the following work ?
Site A has 192.168.1.1  through 192.168.1.50
Site B has 192.168.1.51 and higher
Could one side access the other side  by its Non-NAT'ed address ?
Top Expert 2010

Commented:
if the subnet mask only allowed the specific range of ip addresses. you could not use a subnet mask of /24 on each side. i don't have my calc now so i don't know how to break down your subnet by subnet mask. i will later though, but i think your plan should work.
Top Expert 2010

Commented:
OK. For SiteA, use 192.168.1.0/26 (255.255.255.192). This will give you 192.168.1.1 - 192.168.1.62.

For SiteB, use 192.168.1.64/26 (255.255.255.192). This will give you 192.168.1.64 - 192.168.1.126.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial