SrikantRajeev
asked on
Network Connectivity between 2 Companies
We are planning to connect 2 different group companies using IPSec VPN. The purpose of this is to have certain servers in both the companies to communicate with each other.
Both companies uses Private IP Address which can lead to network conflict. We don't want to use NAT.
What is the best practice & design to have the network established. Mainly want to understand how to avoid IP Network Segment IP conflict.
Both companies uses Private IP Address which can lead to network conflict. We don't want to use NAT.
What is the best practice & design to have the network established. Mainly want to understand how to avoid IP Network Segment IP conflict.
Hi Rajeev
Best practise is always the same - minimum possible access required to work.
If the servers need to communicate with each other, determine the source/destination IP addresses and TCP or UDP port requirements, and lock down the communication channel to just those ports and IP addresses
The issue may be access authentication; if both sites use Active Directory, access to resources is controlled by user policies. In order to use the resources, you often need to be IN the AD domain, or your domain must be "trusted" by the other. This entails the domain controllers being able to communicate with each other. In this case NAT will stop the communication channel functioning properly.
If you can communicate in different ways, for example SMTP for email and FTP for file transfers, then the AD integration will not be required and NAT will be fine.
Short answer - if you have the same subnet at each end, the VPN will only work with GRE tunnels and will give you nothing but grief; if the servers overlap IP addresses, just forget it.
Best practise is always the same - minimum possible access required to work.
If the servers need to communicate with each other, determine the source/destination IP addresses and TCP or UDP port requirements, and lock down the communication channel to just those ports and IP addresses
The issue may be access authentication; if both sites use Active Directory, access to resources is controlled by user policies. In order to use the resources, you often need to be IN the AD domain, or your domain must be "trusted" by the other. This entails the domain controllers being able to communicate with each other. In this case NAT will stop the communication channel functioning properly.
If you can communicate in different ways, for example SMTP for email and FTP for file transfers, then the AD integration will not be required and NAT will be fine.
Short answer - if you have the same subnet at each end, the VPN will only work with GRE tunnels and will give you nothing but grief; if the servers overlap IP addresses, just forget it.
Hi There,
Kindly confirm if the same private subnets are used at both the locations?
Kindly confirm if the same private subnets are used at both the locations?
ASKER
Thanks.
I will require AD servers to communicate with each other , no NAT is ruled out.
My thought is as below.
- Use a segment which is not used by all my group companies.
- In my DC , in DMZ I will be hosting a segment 10.10.10.0/24 which is not used by any of the my group company.
Similarly each group company will have segments like below which will not be used any where.
like 20.20.20.0/24 & 30.30.30.0/24
Only these segments will be communicating with each other.
Let me know are there any other solutions to it.
I will require AD servers to communicate with each other , no NAT is ruled out.
My thought is as below.
- Use a segment which is not used by all my group companies.
- In my DC , in DMZ I will be hosting a segment 10.10.10.0/24 which is not used by any of the my group company.
Similarly each group company will have segments like below which will not be used any where.
like 20.20.20.0/24 & 30.30.30.0/24
Only these segments will be communicating with each other.
Let me know are there any other solutions to it.
We don't want to use NAT.
NAT exempt is still NAT. You will have to use it in one form or another.
Twice NAT is not that bad to setup if you have overlapping network segments. Another option is to use public IP addresses for VPN traffic.
If you have non-overlapping networks, setup IPsec tunnel, do NAT exempt and configure ACLs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
Simplest would be to e.g. use 192.168.0.0/16 on one side and 10.10.0.0/16 on the other side.