0

I've read several possible solutions so far but I am having difficulty applying my particular situation to the answers I have found.

I have a "hub and spoke" style VPN running between several locations and headquarters using a TZ-200 at the hub and TZ-105's at the remotes. The hub network is 192.168.27.0/24 and the spokes are 192.168.1.0/24 through 192.168.10.0/24.

I have established a remote office at 192.168.2.0/24 and would like to be able to access hosts at all of the spokes at this location as I used to from the hub. So far I have tried vpn groups, destination networks, route statements and NAT translation but none have worked and I'm confused as to exactly where I am going wrong. Thank you for any guidance.

Mobilemike
  • 1
  • 2
  • If I'm understanding you correctly, if you're VPN is up, you would just need to setup the routing so the firewalls would know where to route the traffic. – Nixphoe Apr 25 '16 at 17:00

1 Answers1

0

You can follow two approaches.

To have a 100% routed setup, with no NAT involved, do the following:

  • on the remote office's firewall (the one with 192.168.2.0/24 network), create a VPN tunnel having local lan defined as 192.168.2.0/24 and remote lan defined as 192.168.0.0/16
  • on the hub firewall, create a VPN (to your remote office) having local lan defined as 192.168.0.0/16 and remote lan as 192.168.2.0/24
  • on the hub firewall, go to the firewall rules and create a rule from VPN zone to VPN zone having 192.168.2.0/24 as source and 192.168.0.0/16 as destination.

A simpler solution is to use NAT on the central hub. For this solution to work, simply create plain VPNs to all your remote offices. Then:

  • edit the VPN for the 192.168.2.0/24 network and check the "Apply NAT rules"
  • in the NAT panel, create a NAT having 192.168.2.0/24 as source address and "LAN IP address" or "X0 IP" as translated address.

That's all.

shodanshok
  • 44,038
  • 6
  • 98
  • 162