02-09-2010 06:27 AM
Hello,
We need to setup a VPN from London to our Milan office, however we have got the same IP ranges each side of the tunnel. Milan users only need to access London servers, London users do not need to access Milan servers.
Please see the simple attach diagram. we don't manage the Mialn VPN/Firewall (SonicWall)
What can we do to get round this please.
02-09-2010 06:55 AM
You can NAT one side before sending data across the tunnel. Here's a configuration guide-
Hope that helps.
02-09-2010 07:26 AM
This is my exact same problem, but I need to implement the solution on a Cisco 881 - some of the commands are different, most notably the 'static (inside,outside) ...' command - what would be the equivalent for the 881?
02-09-2010 08:09 AM
I assumed you had ASAs since your diagram showed firewalls. Anyway, here's a link on how to do it with routers.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
02-12-2010 01:50 AM
Hi Collin,
It's probably my bad network drawing skills, London is an ASA and Milan is a SonicWall. The SonicWall is not managed by me, and the people in Milan don't know how to use so they have to get someone in costing money. Is there any way I can control this all from my ASA? They (only 5 users) only need to access servers on the inside of my ASA in London.
I was theory thinking, if we created a VPN from London to Milan where the SA's were 2 different subnets we don't use that way the phase 1 and phase 2 will be complete, then we have to then fix the NAT or PAT?
e.g The subnets that clash are all on the 192.168.x.x/24 range (some clash some don'y - messy), so the SA's could be:
Milan - 172.16.1.0/24
London - 172.16.2.0/24
I'm thinking if Milan only need to come inbound to London, and they need to get to a server in London on IP 192.168.21.1 (actual IP) then I could tell Milan it's on 172.16.1.10 so the traffic comes over the VPN to London which see a request for 172.16.1.10 which NAT's to 192.168.21.1.
Apologies if I'm sounding basic
02-12-2010 09:10 AM
I may be off here , but your theory is exactly what you want to do, but you really only do it on one side. Unfortunately there is a caveat in this scenario (at least with Cisco equipment). The tunnel can only be established from one side. By that I mean Milan can send interesting traffic to London and the tunnel will be built. If the tunnel is down and London wants to connect to Milan, the tunnel will never be built. This doesn't fit well since you have no control over Milan and it's a Sonicwall. Would it be easier/cheaper to re-address Milan?
02-13-2010 08:18 AM
I see what you mean. They (Milan) will be adding a couple of
our routers to their icmp polling servers to check the VPN is up, this should help I guess in the short term.?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide