troubleshooting Question

Problem: Need help designing Site-to-Site VPN with resources on multiple LAN subnets

Avatar of critechnology
critechnology asked on
VPNHardware FirewallsNetwork Architecture
8 Comments1 Solution642 ViewsLast Modified:
I’m trying to determine an appropriate design for site-to-site VPN for vendor remote access to internal LAN systems (labeled “MRI System” on network diagram). Here's the problem: The internal LAN resources they need access to are currently on a LAN which is isolated from the main office LAN and is on a different subnet. There is currently no physical connection between the main office LAN and the MRI LAN.

I’ve attached a simplified network diagram of their current setup. As you’ll notice on the diagram, there are two separate internet connections, one which is connected to the Sonicwall (Comast ISP) and the office LAN, and the other which is connected to a Cisco router (Knology ISP) for the MRI System LAN. The MRI system is connected to its own Cisco router and internet provider in order to transmit data to a remote entity, but due to several factors we’re not able to implement a VPN on that connection; we need to implement the VPN through the main office Sonicwall.

As you’ll notice in Building 3 (where the MRI System resides), it’s connected to its own isolated switch and there is currently no uplink to the main office LAN switch.

I need to determine how to establish a site-to-site VPN with the remote vendor through the Sonicwall internet router, allowing them to access the MRI System resources on the MRI LAN.

I have considered:

1. Uplinking the MRI LAN switch with the main office LAN switch and configuring a virtual sub-interface on the Sonicwall X0 port that would be on the same IP subnet as the MRI LAN. However I’m not sure this is possible since we’re not utilizing VLANs.

2. Installing a router between the MRI LAN and the main office LAN, configuring a static route from the Sonicwall to the intermediate router, and disabling the firewall in the intermediate router. My concern here is that I'm not sure if I can pass all traffic from the remote vendor through the VPN to the MRI System resources on the different subnet behind the intermediate router. Sonicwall tech support proposed this solution and said it would work if I disabled the firewall component on the intermediate router, but my testing yields different results. It seems that the only way to pass traffic through the internemediate router is to forward specific ports to specific hosts, which doesn't really accomplish full VPN-type access to all MRI System resources like I'm try to do. My testing for this intermediate router has been with a Sonicwall TZ170. I noticed in the newer Linksys routers there is an option for disabling SPI firewall, so I wonder if it would yield different results using a Linksys.

The relevant IP config info is:

Main office LAN:
Subnet mask:
Default Gateway: (Sonicwall NSA 240 internet router)

Subnet mask:
Default Gateway: (Cisco internet router for MRI LAN) Network diagram
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 8 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros