Connect to remote site through BOVPN tunnel between 2 Fireboxes (x550e and x750e) on same subnet

Posted on 2011-10-25
Last Modified: 2012-06-27
I have 2 sites that I am trying to connect via a BOVPN tunnel between our 2 Fireboxes with the same trusted internal networks.  Settings are:
Site A:
Firebox x750e Fireware 11.4.3

Site B:
Firebox x550e Fireware 11.4.3

Site A is our production environment and Site B is a Disaster Recovery Site.  The tunnel is primarily set up to allow our production SAN ( to replicate to the DR SAN (  The replication is currently working locally but we are now moving it to the DR site.  We have a PC set up on the DR side (, as well.  

I have configured the gateway and tunnel but the tunnel shows as inactive.  I have tried various configurations, including enabling the 1to1 NAT on the tunnel but still cannot get the 2 sides to communicate.  I know this is because of being the same internal network settings b/c if I reconfigure the DR to use, the tunnel works fine.  We need to have the same internal networking though.  

Any ideas?
Question by:Jackson_Campbell
    LVL 32

    Accepted Solution

    You cannot have same IP subnet on either side of the tunnel; period.

    Now if it is not feasible to change IP subnet on one end we would configure NAT over IPSec, so say site would do source NAT over IPSec and send all packets out as 172.16.x.x/16; site B would not need to do any NAT and would see the incoming traffic always from IP 172.16.x.x. This case IMO still does not solve your initial need that you MUST have same IP subnets on both ends.

    If you can do NAT over IPSec, you can very well change one site to as you know already works.

    Thank you.

    Author Comment

    I have it worked out.  I set up 1to1 NAT on both sides of the tunnel.
    Local -
    Remote -
    1to1 NAT -
    Local -
    Remote -
    1to1 NAT -

    I just have to reconfigure our replication settings so that our SAN on SiteA ( communicates with the SAN on SiteB ( using and using going the other way.  This solves our issue of needing to keep the subnets intact on both sides since just a simple replication configuration change is needed.

    Thanks for the information!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now