Avatar of critechnology
 asked on

Problem: Need help designing Site-to-Site VPN with resources on multiple LAN subnets

I’m trying to determine an appropriate design for site-to-site VPN for vendor remote access to internal LAN systems (labeled “MRI System” on network diagram). Here's the problem: The internal LAN resources they need access to are currently on a LAN which is isolated from the main office LAN and is on a different subnet. There is currently no physical connection between the main office LAN and the MRI LAN.

I’ve attached a simplified network diagram of their current setup. As you’ll notice on the diagram, there are two separate internet connections, one which is connected to the Sonicwall (Comast ISP) and the office LAN, and the other which is connected to a Cisco router (Knology ISP) for the MRI System LAN. The MRI system is connected to its own Cisco router and internet provider in order to transmit data to a remote entity, but due to several factors we’re not able to implement a VPN on that connection; we need to implement the VPN through the main office Sonicwall.

As you’ll notice in Building 3 (where the MRI System resides), it’s connected to its own isolated switch and there is currently no uplink to the main office LAN switch.

I need to determine how to establish a site-to-site VPN with the remote vendor through the Sonicwall internet router, allowing them to access the MRI System resources on the MRI LAN.

I have considered:

1. Uplinking the MRI LAN switch with the main office LAN switch and configuring a virtual sub-interface on the Sonicwall X0 port that would be on the same IP subnet as the MRI LAN. However I’m not sure this is possible since we’re not utilizing VLANs.

2. Installing a router between the MRI LAN and the main office LAN, configuring a static route from the Sonicwall to the intermediate router, and disabling the firewall in the intermediate router. My concern here is that I'm not sure if I can pass all traffic from the remote vendor through the VPN to the MRI System resources on the different subnet behind the intermediate router. Sonicwall tech support proposed this solution and said it would work if I disabled the firewall component on the intermediate router, but my testing yields different results. It seems that the only way to pass traffic through the internemediate router is to forward specific ports to specific hosts, which doesn't really accomplish full VPN-type access to all MRI System resources like I'm try to do. My testing for this intermediate router has been with a Sonicwall TZ170. I noticed in the newer Linksys routers there is an option for disabling SPI firewall, so I wonder if it would yield different results using a Linksys.

The relevant IP config info is:

Main office LAN:
Subnet mask:
Default Gateway: (Sonicwall NSA 240 internet router)

Subnet mask:
Default Gateway: (Cisco internet router for MRI LAN) Network diagram
VPNNetwork ArchitectureHardware Firewalls

Avatar of undefined
Last Comment

8/22/2022 - Mon

What I would do to make life easier is to take that cable going from the Building 3 Switch that is abandoned in the bottom-left corner and have it plug into the SonicWALL in the Main Office on another port such as X2, rather than the Main Office switch. You can configure that other port for the MRI network and give it a unique Zone so you can properly route/firewall between the subnets then.

I wish I could do that - My oversimplified drawing doesn't make it clear, but the Sonicwall is in building 2 and the buildings are tied together with fiber, each building having a central switch in them. So unfortunately I can't get a dedicated cable from the MRI LAN in building 3 to an alternate port on the Sonicwall. Everything on the LAN connects to the X0 port. The Sonicwall does allow me to configure virtual "subinterfaces" on the X0 port, but I think this would only work if I implemented VLANs across the switches spanning buildings 2 and 3 (one for office LAN and one for MRI LAN) so the subinterface would handle the traffic properly.

What kind of switches are we talking about in the diagram? Are all of the switches managed and capable of being configured for VLANs and trunking? At this point it sounds like doing VLANs is best, but if they can't talk VLAN, we'll be quite limited to options then.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Cisco Catalyst 2950 switches, which I haven't had to manage up to this point since they've been rock-solid since I inherited the network several years ago. I'm not a Cisco guru and don't have the login info from the previous admin, but if I can get logged into them and configure VLANs that will probably be a viable option with the VLAN subinterface on the Sonicwall.

There are additional unused fiber strands running between the two buildings which are terminated on a fiber patch panel. Going back to your original suggestion of uplinking directly to an alternate port on the Sonicwall - It may be possible to install a FX/TX media converter at each end and establish a direct link from the switch in building 3 to a port on the Sonicwall in building 2...

I would do the direct link if possible, it will keep the network simple.

If not, let's go down the VLAN route as that's the next simple method. Here is the password recovery method for your switches: http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml

Then we need to figure out the ports that the SonicWALL plugs into in the Main Office switch, the ports that are used from that switch to the "abandoned one" in Building 3, and also what ports will be used to connect from the MRI switch to the Building 3 switch. All of those switches and ports will need to be setup for VLANs and Trunking which I can help with when we get to that point and can provide the commands for each switch if you can provide the port info.

Argh nevermind, I just realized the 2950's are fixed-config. We can't go in and manage them anyway.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

I have to give Sonicwall tech support the credit for pointing me in the right direction with this one. Once I found a Linksys RV082 router to test that could truly be set to "router" mode with no firewall enabled everything went pretty smoothly from there.