How can I configure a Site to Site VPN with multiple network overlaps (NAT over VPN)?

Description

This article will guide you through the process of configuring the SonicWall to translate multiple networks for use across a Site to Site VPN.

NOTE: Due to the way this is processed, the same application can be completed for a Tunnel Interface (Route Based VPN).

Below is a diagram that will be used as an example case throughout this article as a guide to help establish the concept.

EXAMPLE: As seen in the example, the two sites share the internal networks of 192.168.168.0/24 and 192.168.1.0/24. As a result they will be translated on both ends to ensure there are no overlaps of networks coming across the tunnel. Doing so, we will be establishing the VPN by negotiating the tunnel with the 10.168.168.0/24, 10.168.1.0/24, 10.168.169.0/24, and 10.168.2.0/24 networks.

TIP: If you are trying to setup a Site to Site VPN with a single network translation, the SonicWall has a built in feature for this. See How to Configure NAT over VPN in a Site to Site VPN for more information on how to configure this.

Resolution

NOTE: The SIte A configuration here is based on firmware SonicOS 6.2 and Below and SIte B configuration is based on firmware SonicOS 6.5 and Later.Based on what firmware you are on, please configure accordingly.

Site A Configuration

  1. Log in to the SonicWall with your admin account.
  2. Navigate to Network | Address Objects.
  3. Click Add at the bottom of the screen and create the address objects for the Local site networks (if they do not exist), the translations of the local site networks, and the translations of the remote site's networks.  You should have a minimum of 6 address objects (more if you are translating for more than 2 network overlaps).

    EXAMPLE: In the Example below, we are configuring the SonicWall Appliance as though we are at Site A (Chicago).

     Image
    ImageImage
    ImageImage

  4. Access the Address Groups tab and click Add... at the bottom of the screen to create new groups for the Translated Local Networks and the Translated Remote Networks.
    Image
    Image

  5. Navigate to Network | NAT Policies.
  6. Click Add at the bottom of the page to create new NAT policies for each of the local networks needing to be translated.

    NOTE: While our example only has two networks being translated, your network may require more NAT Policies than what we display below.

     The format for the NAT policies will be as follows:
    Outbound NAT policy
    Original Source: Local Network
    Translated Source: Local Network Translation
    Original Destination: Remote Network Translation (Group)
    Translated Destination: Original

    Inbound NAT policy
    Original Source: Remote Network Translation (Group)
    Translated Source: Original
    Original Destination: Local Network Translation
    Translated Destination: Local Network

    EXAMPLE: Screenshots included below for our examples of the 2 Inbound and 2 Outbound NAT policies needed for the case study.

     Image

    ImageImage
    Image

  7. Navigate to VPN | Settings.
  8. Click Add to create your new VPN.
  9. On the General tab, fill-in the Name, IPSec Primary Gateway Name or Address and Shared Secret fields.
    Image 

  10. On the Network Tab, select the Local Translated Address Group in the Choose local network from list field and select the Remote Translated Address Group in the Choose destination network from list field.
    Image

  11. On the Proposals tab, select the preferred settings for Exchange, DH Group, Encryption, Authentication, Life Time (seconds), Protocol, and Enable Perfect Forward Secrecy.
    Image

  12. Make the appropriate adjustments on the Advanced tab as necessary.

    NOTE: Ensure at least one side of the VPN has keepalive enabled to keep the tunnel active.
     

  13. Click OK .
  14. Confirm that the VPN is active by seeing a green circle appear next to each of the network destinations on the VPN | Settings page.  

    NOTE: You may need to refresh the page for the settings to take effect.  This can also be tested with a ping from local to remote or remote to local.


Site B Configuration

  1. Log in to the SonicWall with your admin account.
  2. Click Manage in the top navigation menu.
  3. Navigate to Objects | Address Objects.
  4. Click Add at the top of the screen and create the Address Objects for the Local site networks (if they do not exist), the translations of the local site networks, and the translations of the remote site's networks.  You should have a minimum of 6 address objects (more if you are translating for more than 2 network overlaps).

    EXAMPLE: In the Example below, we are configuring the SonicWall Appliance as though we are at Site B (San Jose).

     Image
    ImageImage
    ImageImage

  5. Access the Address Groups Tab and click Add at the top of the screen to create new groups for the Translated Local Networks and the Translated Remote Networks.
    Image
    Image

  6. Navigate to Rules | NAT Policies.
  7. Click Add at the bottom of the page to create new NAT policies for each of the local networks needing to be translated.

    NOTE: While our example only has two networks being translated, your network may require more NAT Policies than what we display below.

     The format for the NAT policies will be as follows:
    Outbound NAT policy
    Original Source: Local Network
    Translated Source: Local Network Translation
    Original Destination: Remote Network Translation (Group)
    Translated Destination: Original

    Inbound NAT policy
    Original Source: Remote Network Translation (Group)
    Translated Source: Original
    Original Destination: Local Network Translation
    Translated Destination: Local Network

    EXAMPLE: Screenshots included below for our examples of the 2 Inbound and 2 Outbound NAT policies needed for the case study.

     Image
    ImageImage
    Image

  8. Navigate to VPN | Base Settings.
  9. Click ADD to create your new VPN
  10. On the General tab, fill-in the Name, IPSec Primary Gateway Name or Address and Shared Secret fields.
    Image 

  11. On the Network Tab, select the Local Translated Address Group in the Choose local network from list field and select the Remote Translated Address Group in the Choose destination network from list field.
    Image
  12. On the Proposals tab, select the preferred settings for Exchange, DH Group, Encryption, Authentication, Life Time (seconds), Protocol, and Enable Perfect Forward Secrecy.
    Image

  13. Make the appropriate adjustments on the Advanced tab as necessary.

    NOTE: Ensure at least one side of the VPN has keepalive enabled to keep the tunnel active.
     

  14. Click OK.
  15. Confirm that the VPN is active by seeing a green circle appear next to each of the network destinations on the VPN | Settings page.  

    NOTE: You may need to refresh the page for the settings to take effect.  This can also be tested with a ping from local to remote or remote to local.

Related Articles

  • Using 31-Bit Prefixes on IPv4 Address Error: Index of the interface: Invalid IP Address
    Read More
  • How to block a website using CFS 4.0 CLI commands
    Read More
  • How to Configure Wire / Tap mode in SonicOS
    Read More

Categories

Firewalls
SonicWall SuperMassive 9000 Series
VPN
Firewalls
SonicWall SuperMassive E10000 Series
VPN
Firewalls
TZ Series
VPN
Firewalls
NSa Series
VPN
Firewalls
NSv Series
VPN
not finding your answers?
Ask the Community
was this article helpful?
YesNo