I recently had an opportunity to setup something that I’ve never configured before. I had to build a site to site VPN with a vendor into a network that used the same IP scheme as one of the vendor’s subnets. Normally the IPs on either side of the tunnel are different, in this case the vendor already had a subnet in their network with the same IP address range as our internal subnet, so this wouldn’t allow us to build a tunnel between the two sides wouldn’t route the traffic to the other, both would think the traffic is local.
We decided that we would mask my client’s internal subnet to some other range so that the internal subnet wouldn’t interfere with the subnet that the vendor had internally.
Let me break this down into numbers that make some sense:
- Our local subnet was 192.168.1.0/24
- The Vendor’s subnet was 10.0.0.0/24 (but they also had a subnet in their network for 192.168.1.0/24, which is why this would not work, our traffic would get to them, but wouldn’t make it back out over the VPN on the way back)
- We decided that we would mask our 192.168.1.0/24 subnet as 192.168.254.0/24
Here is how the router was Setup:
First we needed to make some Address Objects in the Sonicwall
1) Expand “Network” in the Sonicwall’s left hand pane
2) Click on “Address Objects”, and Create the following Address Objects:
- Name: Vendor Network, Zone: VPN, Network: 10.0.0.0, Netmask: 255.255.255.0
- Name: Local Network, Zone: LAN, Network: 192.168.1.0, Netmask: 255.255.255.0
- Name: Masked Local Network, Zone: VPN, Network: 192.168.254.0, Netmask: 255.255.255.0
Next we need to build the VPN Tunnel
1) Next Expand “VPN” in the Sonicwall’s left hand pane
2) Click on “Add..” to create a new VPN
3) Fill in a Name, IPSec Primary Gateway, Shared Secret and then click the “Network” tab
4) Under the Section “Local Networks” select “Local Network” from the drop down list
5) Under the Section “Remote Networks” select “Vendor Network” from the drop down list, and then click on the “Advanced” tab
6) Select the box for “Keep Alive” and the box for “Apply NAT Policies”
7) Change “Translated Local Network:” to “Masked Local Network” using the drop down selection box
8) Change “Translated Remote Network:” to “Original” using the drop down Selection box and press OK (note: we did not go over the proposals tab because it’s not relevant to this configuration)
Finally we’ll need to setup some one-to-one NAT rules to allow traffic from our Vendor to our desired Server(s). Note: This section may not be needed, when I configured this we were actually bringing 3 different subnets into the tunnel using just a single masked subnet, so I ended up needing to do this, but it’s possible that you won’t need to do this if you’re only using a single subnet on each side, so check to make sure the tunnel is routing traffic properly before moving forward with these steps.
1) Expand “Network” in the Sonicwall’s left hand pane
2) Click on “NAT Policies” in the Sonicwall’s left hand pane
3) Here is where things can get a little tricky, basically we need to make a rule for each object that needs to be accesses by the vendor’s subnet. Let’s assume it’s only our one server, which happens to be 192.168.1.10. If you’ve got more than one server, you can create multiple rules
4) Click “Add…” to start a new NAT rule and enter the following:
- Original Source: Vendor Network
- Translated Source: Original
- Original Destination: 192.168.254.10 (remember this is coming FROM the vendor to the Masked Address)
- Translated destination: 192.168.1.10
- Original Service: Any
- Translated Service: Original
Once this rule is created your vendor should be able to access you server at IP address 192.168.1.10 by using the IP address of 192.168.254.10.
This is a confusing configuration, so email me if you have any questions, and good luck.