Remote IP is the WAN IP of the Head office firewall.ģ) Create 2 static routes (Network->Static Routes) one for remote subnet 10.10.1.0/24 and another for blackhole. Inbound Policy# From Branch to Head office:Ĩ ) Now, finally create a Central SNAT policy (Policy & Object -> Central SNAT) for outbound traffic.įor inbound, The Virtual IP object ' Head-Office-New-IP-To-Original-IP' is created to perform DNAT, no need to add to the inbound policy. The first address (Head office original IP) for the subnet is 192.168.1.0/24 and the second is Branch office new subnet 10.10.2.0/24.ĥ) Create IP-Pool (Policy & Object -> IP Pool) for the head office's new NATTED subnet 10.10.1.0/24.Ħ) Create Virtual IP (Policy & Object -> DNAT & Virtual IPs).ħ) Create 2 firewall policies (Policy & Object -> Firewall Policy) one for outbound (Head office to Branch) and another is inbound (from branch to head office).
Remote IP is the WAN IP of the Branch office.ģ) Create 2 static routes (Network->Static Routes) one for remote subnet 10.10.2.0/24 and another for blackhole.Ĥ) Create 2 Addresses (Policy & Object -> Addresses). Both sites have the same LAN subnet 192.168.1.0/24.ģ) In the head office firewall, Central SNAT is configured.Ĥ) In branch office firewall policy-based NAT is configured.Īs there is an overlapping network (192.168.1.0/24), the 10.10.1.0/24 subnet will be used for the head office and 10.10.2.0/24 for the branch. Let's consider there are 2 sites (head office and branch) where the following configuration shows a site-to-site IPSec VPN based on the following criteria:Ģ) Overlapping networks.
This article describes configuring Site-to-site IPSec VPN in Central SNAT mode with overlapping subnets.
0 kommentar(er)
