azpete
asked on
SonicWall Site to Stite VPN ( same IP range on both sides ?)
I have setup a dozen or more SonicWall Site to Site VPNs ( with different subnets on both sides)
Expert-Exchange (dosdet2) says that SonicWalls can be set to use the same subnet range at both sides and they do a translation so you don't have any conflicts with duplicate IPs
Anyone know if this is true ? Any setup references would be much appreciated.
( We will have SonicWalls NSA 2400s on both sides)
Expert-Exchange (dosdet2) says that SonicWalls can be set to use the same subnet range at both sides and they do a translation so you don't have any conflicts with duplicate IPs
Anyone know if this is true ? Any setup references would be much appreciated.
( We will have SonicWalls NSA 2400s on both sides)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is confusing. What the VPN does, essentially, is hide the other end of the VPN behind a NAT'ed subnet. The HIDE NAT address object referred in the KB is just that. Let's say that you have 192.168.1.0/24 at both ends. You pick a subnet that you are going to hide the respective subnet behind. So, SiteA get 192.168.96.0/24 and SiteB gets 192.168.97.0/24. If you are at SiteA and you need to reference 192.168.1.1 as a server in SiteB, you don't use 192.168.1.1. You use 192.168.97.1.
When you type 192.168.97.1, your request hits the sonicwall (your gateway) and knows that 192.168.97.0/24 traffic goes over the VPN. On the other end, you configure the remote sonicwall to NAT 192.168.97.0/24 traffic to 192.168.1.0/24. So, your 192.168.97.1 hits the NAT on the VPN policy and changed to 192.168.1.1.
This happens coming the other way when 192.168.1.0/24 hosts at SiteB attempt to access resources on 192.168.1.0/24 at SiteA. They would use 192.168.96.0/24 instead.
Hope that answers your question.
When you type 192.168.97.1, your request hits the sonicwall (your gateway) and knows that 192.168.97.0/24 traffic goes over the VPN. On the other end, you configure the remote sonicwall to NAT 192.168.97.0/24 traffic to 192.168.1.0/24. So, your 192.168.97.1 hits the NAT on the VPN policy and changed to 192.168.1.1.
This happens coming the other way when 192.168.1.0/24 hosts at SiteB attempt to access resources on 192.168.1.0/24 at SiteA. They would use 192.168.96.0/24 instead.
Hope that answers your question.
ASKER
Okay, I see that.
Will the following work ?
Site A has 192.168.1.1 through 192.168.1.50
Site B has 192.168.1.51 and higher
Could one side access the other side by its Non-NAT'ed address ?
Will the following work ?
Site A has 192.168.1.1 through 192.168.1.50
Site B has 192.168.1.51 and higher
Could one side access the other side by its Non-NAT'ed address ?
if the subnet mask only allowed the specific range of ip addresses. you could not use a subnet mask of /24 on each side. i don't have my calc now so i don't know how to break down your subnet by subnet mask. i will later though, but i think your plan should work.
OK. For SiteA, use 192.168.1.0/26 (255.255.255.192). This will give you 192.168.1.1 - 192.168.1.62.
For SiteB, use 192.168.1.64/26 (255.255.255.192). This will give you 192.168.1.64 - 192.168.1.126.
For SiteB, use 192.168.1.64/26 (255.255.255.192). This will give you 192.168.1.64 - 192.168.1.126.
ASKER
And I noticed at the bottom there was a reference to a similar article that uses the "HIDE NAT"
http://www.sonicwall.com/downloads/VPN_with_Overlapping_Networks.pdf
Any comments on the above ?
A BIG thanks