How to reach a destination behind an existing Site-to-Site (S2S) VPN from a Banyan user connected via Cloud Secure Edge (CSE)
Description
To enable access from a Banyan-connected user to a destination behind an existing Site-to-Site VPN, you’ll need to configure a manual NAT to translate the IPs used by CSE access tiers. This setup uses a dummy IP to bridge traffic between both firewalls.
LAB Environment Details:
Client OS: Windows (Banyan app version 3.28)
Firewall Platform: SonicWall (version 7.3.1-7013)
CSE Connector: Local firewall
Local Subnet: 10.0.1.0/24
Remote Subnet: 192.168.255.0/0
CSE Access Tier IPs: Created by default during CSE setup
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKdsv.jpg)
The Banyan-connected user should be able to reach the remote server at IP 192.168.255.195 through the existing Site-to-Site VPN tunnel.
Resolution
Local Firewall (CSE Connector)
1.- Create an Address Object
Define the translated IP address object host under VPN zone.
Ensure this IP is consistent across both firewalls.
Object | Match Objects | Addresses
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000PmPU0.jpg)
2.- Add the Remote Subnet
Add the existing address object for the remote subnet to the CIDR connector configuration (e.g., 192.168.255.0/24).
Network | Cloud Secure Edge | Access Settings
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000Pm5Gl.jpg)
3.- Create a custom NAT Policy
Configure a NAT rule to translate traffic from CSE Access Tier IPs to the translated IP when accessing the remote subnet.
Policy | Rules and Policies | NAT Rules
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000PmaCT.jpg)
4.- Edit the local VPN
Modify the existing Site-to-Site (S2S) VPN by updating the Local Network settings. Create a new Address Object Group that includes both the current Local Network configuration and the previously created TranslatedIPCSE object.
Network | IPSec VPN | Rules and Settings
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000PmLWo.jpg)
Remote Firewall
5.- Create Address Object
Define the same dummy/translated IP address used on the local firewall before.
Object | Match Objects | Addresses
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000PmBnb.jpg)
6.- Edit the remote VPN
Modify the existing Site-to-Site (S2S) VPN by updating the Destination Network settings. Create a new Address Object Group that includes both the current Remote Network configuration and the previously created TranslatedIPCSE object.
Network | IPSec VPN | Rules and settings
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000PmMCk.jpg)
TIPS and RECOMENDATION:
- Toggle the VPNs (Disable/Enable) to ensure the newly added subnets are properly recognized and applied.
- Verify that the new CSE object is active and visible on the remote firewall.
- Verify that the new remote subnet is active and visible on the Banyan device. You could use cmd route print on Banyan end user.
- Confirm that there are no blocking mechanisms on the destination server, such as Windows Firewall, antivirus software, or internal access‑control rules.
- Enable packet capture on both the local and remote firewalls to trace the traffic flow if any connectivity issues arise. You can filter the capture based on the destination IP.
- If you notice unusual NAT policy matching, you may reboot the firewall to clear the internal firewall cache.
