shugonaka
asked on
Link the same IP subnet/VLAN over Firewall Transit
Hello, I would like to hear the experts opinion/recommendation on establishing a communication between the subnet with the same IP range on two separate networks. Both networks are physically separated but can be connected with a firewall transit. Network #1 has a security camera system and I want to extend it to Network #2. The security camera system subnet is 192.168.20.0/24 and is VLAN20 on Network #1. I created the same subnet and VLAN on Network #2, thinking that would all I needed. However, having the firewall transit in between, I figure it's not that simple. I assume a typical solution would be using a different subnet range and VLAN with a static route to route the traffic between the networks, but I wanted to check if it's possible somehow to establish the communication between the system being on the same subnet and VLAN over the firewall transit. Thanks in advance for any comments.
Is the firewall in Layer 3 or transparent/bridged mode? That would be the factor that determines whether you can stretch the vlan or not.
If this is a routed connection (L3 network) it will NOT work. even if you NAT on both sides there will be trouble with some protocols like RPC / SIP family protocols which also communicate some network addresses. ALG's should have got that part, except most are implemented incorrectly so those are mostly useless.
If this is an extended VLAN (L2 network), then ensure there are no duplicate addresses.. the router on one end should be x.x.x.1 on the other end it should be x.x.x.2 f.e etc. Also DHCP might cause issues here.
If this is an extended VLAN (L2 network), then ensure there are no duplicate addresses.. the router on one end should be x.x.x.1 on the other end it should be x.x.x.2 f.e etc. Also DHCP might cause issues here.
To make a connection between two places that are both using the same IP range, you use a Bridge. To use a different IP range you use a Router. Both of those can operate over a VPN, however if at all possible you will want to lean on the Router concept and use a different range. This will save you unnecessary traffic and confusion especially when there are broadcast packets. But if you have any other subnets at each site, traffic and routes potentially will get really messy.
If for some reason you need to keep everything in a 192.168.20.x you could do 192.168.20.0/25 instead of /24. Then 1 network would be 192.168.20.0-127 addresses and the other would be 192.168.20.128-255 addresses. with the .127 and the .255 being the broadcast addresses for their respective networks. Granted you may still have some places needing static routes defined, but it might help.
If for some reason you need to keep everything in a 192.168.20.x you could do 192.168.20.0/25 instead of /24. Then 1 network would be 192.168.20.0-127 addresses and the other would be 192.168.20.128-255 addresses. with the .127 and the .255 being the broadcast addresses for their respective networks. Granted you may still have some places needing static routes defined, but it might help.
ASKER
Thanks all for the comment. It sounds like using the same IP range is no go or bringing unnecessary mess at best.
The firewall on Network #1 is Cisco ASA 5505 and Network #2 is the 5506-x. There is a Cisco WS-C3650 behind the 5505 and WS-C2960 behind the 5506-x, and there are multiple VLANs behind each switch. The 3650 runs as L3 and doing routing for Network #1. The 5506-x is doing inter-VLAN routing for Network #2.
The Camera system server and a number of cameras currently sit on Network #1. My goal is to add cameras on Network #2 and have them communicate with the server.
So, would it be the best option to use a new IP range and VLAN on Network #2, and use a static route on the 5506-x to point to 192.168.20.x?
The firewall on Network #1 is Cisco ASA 5505 and Network #2 is the 5506-x. There is a Cisco WS-C3650 behind the 5505 and WS-C2960 behind the 5506-x, and there are multiple VLANs behind each switch. The 3650 runs as L3 and doing routing for Network #1. The 5506-x is doing inter-VLAN routing for Network #2.
The Camera system server and a number of cameras currently sit on Network #1. My goal is to add cameras on Network #2 and have them communicate with the server.
So, would it be the best option to use a new IP range and VLAN on Network #2, and use a static route on the 5506-x to point to 192.168.20.x?
That is exactly what I would do for the camera network, assuming you have your ASA's connected via IPSEC or other VPN.
ASKER
The two networks are in the same building and I can physically connect their firewall with copper cable to make a firewall transit. This is essentially the same as having VPN between the networks correct?
Alternatively, I could run a copper between the switches and allow only VLAN20 (192.168.20.0/24) for the camera-server communication. Would this cause any issues (routing, broadcast, etc.) or has security concerns?
Alternatively, I could run a copper between the switches and allow only VLAN20 (192.168.20.0/24) for the camera-server communication. Would this cause any issues (routing, broadcast, etc.) or has security concerns?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your help!
Before using the GW, the computer will check first its own route table, if the IP much its network, the computer wil never send packets to the GW.
I never try it before but theoretically the answer should be NO.
By doing that, what is your final goal?