?
Solved

Connect to remote site through BOVPN tunnel between 2 Fireboxes (x550e and x750e) on same subnet

Posted on 2011-10-25
2
Medium Priority
?
757 Views
Last Modified: 2012-06-27
I have 2 sites that I am trying to connect via a BOVPN tunnel between our 2 Fireboxes with the same trusted internal networks.  Settings are:
Site A:
Firebox x750e Fireware 11.4.3
IP: 192.168.0.1
Network:  192.168.0.0/16

Site B:
Firebox x550e Fireware 11.4.3
IP:  192.168.0.2
Network:  192.168.0.0/16

Site A is our production environment and Site B is a Disaster Recovery Site.  The tunnel is primarily set up to allow our production SAN (192.168.7.50) to replicate to the DR SAN (192.168.7.51).  The replication is currently working locally but we are now moving it to the DR site.  We have a PC set up on the DR side (192.168.7.11), as well.  

I have configured the gateway and tunnel but the tunnel shows as inactive.  I have tried various configurations, including enabling the 1to1 NAT on the tunnel but still cannot get the 2 sides to communicate.  I know this is because of being the same internal network settings b/c if I reconfigure the DR to use 10.0.0.0/16, the tunnel works fine.  We need to have the same internal networking though.  

Any ideas?
0
Comment
Question by:Jackson_Campbell
2 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 37029848
You cannot have same IP subnet on either side of the tunnel; period.

Now if it is not feasible to change IP subnet on one end we would configure NAT over IPSec, so say site would do source NAT over IPSec and send all packets out as 172.16.x.x/16; site B would not need to do any NAT and would see the incoming traffic always from IP 172.16.x.x. This case IMO still does not solve your initial need that you MUST have same IP subnets on both ends.

If you can do NAT over IPSec, you can very well change one site to 10.0.0.0/16 as you know already works.

Thank you.
0
 

Author Comment

by:Jackson_Campbell
ID: 37030456
I have it worked out.  I set up 1to1 NAT on both sides of the tunnel.
SiteA:
Local - 192.168.0.0/16
Remote - 10.20.0.0/16
1to1 NAT - 10.10.0.0/16
SiteB:
Local - 192.168.0.0/16
Remote - 10.10.0.0/16
1to1 NAT - 10.20.0.0/16

I just have to reconfigure our replication settings so that our SAN on SiteA (192.168.7.50) communicates with the SAN on SiteB (192.168.7.51) using 10.20.7.51 and using 10.10.7.50 going the other way.  This solves our issue of needing to keep the subnets intact on both sides since just a simple replication configuration change is needed.

Thanks for the information!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question