I’m trying to determine an appropriate design for site-to-site VPN for vendor remote access to internal LAN systems (labeled “MRI System” on network diagram). Here's the problem: The internal LAN resources they need access to are currently on a LAN which is isolated from the main office LAN and is on a different subnet. There is currently no physical connection between the main office LAN and the MRI LAN.
I’ve attached a simplified network diagram of their current setup. As you’ll notice on the diagram, there are two separate internet connections, one which is connected to the Sonicwall (Comast ISP) and the office LAN, and the other which is connected to a Cisco router (Knology ISP) for the MRI System LAN. The MRI system is connected to its own Cisco router and internet provider in order to transmit data to a remote entity, but due to several factors we’re not able to implement a VPN on that connection; we need to implement the VPN through the main office Sonicwall.
As you’ll notice in Building 3 (where the MRI System resides), it’s connected to its own isolated switch and there is currently no uplink to the main office LAN switch.
I need to determine how to establish a site-to-site VPN with the remote vendor through the Sonicwall internet router, allowing them to access the MRI System resources on the MRI LAN.
I have considered:
1. Uplinking the MRI LAN switch with the main office LAN switch and configuring a virtual sub-interface on the Sonicwall X0 port that would be on the same IP subnet as the MRI LAN. However I’m not sure this is possible since we’re not utilizing VLANs.
2. Installing a router between the MRI LAN and the main office LAN, configuring a static route from the Sonicwall to the intermediate router, and disabling the firewall in the intermediate router. My concern here is that I'm not sure if I can pass all traffic from the remote vendor through the VPN to the MRI System resources on the different subnet behind the intermediate router. Sonicwall tech support proposed this solution and said it would work if I disabled the firewall component on the intermediate router, but my testing yields different results. It seems that the only way to pass traffic through the internemediate router is to forward specific ports to specific hosts, which doesn't really accomplish full VPN-type access to all MRI System resources like I'm try to do. My testing for this intermediate router has been with a Sonicwall TZ170. I noticed in the newer Linksys routers there is an option for disabling SPI firewall, so I wonder if it would yield different results using a Linksys.
The relevant IP config info is:
Main office LAN:
Subnet mask: 255.255.255.0
Default Gateway: 172.20.1.95 (Sonicwall NSA 240 internet router)
Subnet mask: 255.255.255.0
Default Gateway: 192.168.192.254 (Cisco internet router for MRI LAN)