How to reach a destination behind an existing Site-to-Site (S2S) VPN from a Banyan user connected via Cloud Secure Edge (CSE)
Description
To enable access from a Banyan-connected user to a destination behind an existing Site-to-Site VPN, you’ll need to configure a manual NAT to translate the IPs used by CSE access tiers. This setup uses a dummy IP to bridge traffic between both firewalls.
LAB Environment Details:
Client OS: Windows (Banyan app version 3.27.2)
Firewall Platform: SonicWall (version 7.3.0-7012)
CSE Connector: Local firewall
Local Subnet: 10.0.1.0/24
Remote Subnet: 192.168.255.0/0
CSE Access Tier IPs: Created by default during CSE setup
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKdsv.jpg)
The Banyan-connected user should be able to reach the remote server at IP 192.168.255.195 through the existing Site-to-Site VPN tunnel.
Resolution
Local Firewall (CSE Connector)
1.- Create an Address Object
Define the translated IP address object host under VPN zone.
Ensure this IP is consistent across both firewalls.
Object | Match Objects | Addresses
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKe2b.jpg)
2.- Add the Remote Subnet
Add the existing address object for the remote subnet to the CIDR connector configuration (e.g., 192.168.255.0/24).
Network | Cloud Secure Edge | Access Settings
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKe4D.jpg)
3.- Create a NAT Policy
Configure a NAT rule to translate traffic from CSE Access Tier IPs to the translated IP when accessing the remote subnet.
Policy | Rules and Policies | NAT Rules
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKe7R.jpg)
4.- Edit the local VPN
Modify the existing Site-to-Site (S2S) VPN by updating the Local Network settings. Create a new Address Object Group that includes both the current Local Network configuration and the previously created TranslatedIPCSE object.
Network | IPSec VPN | Rules and Settings
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKZfe.jpg)
Remote Firewall
5.- Create Address Object
Define the same dummy/translated IP address used on the local firewall before.
Object | Match Objects | Addresses
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKe5p.jpg)
6.- Edit the remote VPN
Modify the existing Site-to-Site (S2S) VPN by updating the Destination Network settings. Create a new Address Object Group that includes both the current Remote Network configuration and the previously created TranslatedIPCSE object.
Network | IPSec VPN | Rules and Settings
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKVli.jpg)
-VPN-from-a-Banyan-user-connected-via-Cloud-Secure-Edge-(CSE)-kA1VN0000001TKv0AM-0EMVN00000KKe0z.jpg){kind=small}
TIPS:
- Toggle the VPNs (Disable/Enable) to ensure that the newly added subnets are properly recognized and applied.
- Verify the new CSE object is active and visible on the remote firewall.
- Verify the new Remote subnet is active and visible on the Banyan device.
- Confirm there are no blocking mechanisms on the destination server, such as Windows Firewall, antivirus software, or internal access control rules.
- Enable packet capture on both the local and remote firewalls to trace traffic flow in case any connectivity issues arise. You could capture the traffic base on destination IP.