Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I configure a Site to Site VPN with multiple network overlaps (NAT over VPN)?

06/30/2021 502 People found this article helpful 109,205 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article will guide you through the process of configuring the SonicWall to translate multiple networks for use across a Site to Site VPN.

    NOTE: Due to the way this is processed, the same application can be completed for a Tunnel Interface (Route Based VPN).

    Below is a diagram that will be used as an example case throughout this article as a guide to help establish the concept.

    EXAMPLE: As seen in the example, the two sites share the internal networks of 192.168.168.0/24 and 192.168.1.0/24. As a result they will be translated on both ends to ensure there are no overlaps of networks coming across the tunnel. Doing so, we will be establishing the VPN by negotiating the tunnel with the 10.168.168.0/24, 10.168.1.0/24, 10.168.169.0/24, and 10.168.2.0/24 networks.

    Image

    TIP: If you are trying to setup a Site to Site VPN with a single network translation, the SonicWall has a built in feature for this. See How to Configure NAT over VPN in a Site to Site VPN for more information on how to configure this.

    Resolution

    NOTE: The SIte A configuration here is based on firmware SonicOS 6.2 and Below and SIte B configuration is based on firmware SonicOS 6.5 and Later.Based on what firmware you are on, please configure accordingly.

    Site A Configuration

    1. Log in to the SonicWall with your admin account.
    2. Navigate to Network | Address Objects.
    3. Click Add at the bottom of the screen and create the address objects for the Local site networks (if they do not exist), the translations of the local site networks, and the translations of the remote site's networks.  You should have a minimum of 6 address objects (more if you are translating for more than 2 network overlaps).

      EXAMPLE: In the Example below, we are configuring the SonicWall Appliance as though we are at Site A (Chicago).

       ImageImage
      ImageImage
      ImageImage

    4. Access the Address Groups tab and click Add... at the bottom of the screen to create new groups for the Translated Local Networks and the Translated Remote Networks.
      Image
      Image

    5. Navigate to Network | NAT Policies.
    6. Click Add at the bottom of the page to create new NAT policies for each of the local networks needing to be translated.

      NOTE: While our example only has two networks being translated, your network may require more NAT Policies than what we display below.

       The format for the NAT policies will be as follows:
      Outbound NAT policy
      Original Source: Local Network
      Translated Source: Local Network Translation
      Original Destination: Remote Network Translation (Group)
      Translated Destination: Original

      Inbound NAT policy
      Original Source: Remote Network Translation (Group)
      Translated Source: Original
      Original Destination: Local Network Translation
      Translated Destination: Local Network

      EXAMPLE: Screenshots included below for our examples of the 2 Inbound and 2 Outbound NAT policies needed for the case study.

       ImageImage

      ImageImage
      Image

    7. Navigate to VPN | Settings.
    8. Click Add to create your new VPN.
    9. On the General tab, fill-in the Name, IPSec Primary Gateway Name or Address and Shared Secret fields.
      Image 

    10. On the Network Tab, select the Local Translated Address Group in the Choose local network from list field and select the Remote Translated Address Group in the Choose destination network from list field.
      Image

    11. On the Proposals tab, select the preferred settings for Exchange, DH Group, Encryption, Authentication, Life Time (seconds), Protocol, and Enable Perfect Forward Secrecy.
      Image

    12. Make the appropriate adjustments on the Advanced tab as necessary.

      NOTE: Ensure at least one side of the VPN has keepalive enabled to keep the tunnel active.
       Image

    13. Click OK .
    14. Confirm that the VPN is active by seeing a green circle appear next to each of the network destinations on the VPN | Settings page.  

      NOTE: You may need to refresh the page for the settings to take effect.  This can also be tested with a ping from local to remote or remote to local.
      Image

    Site B Configuration

    1. Log in to the SonicWall with your admin account.
    2. Click Manage in the top navigation menu.
    3. Navigate to Objects | Address Objects.
    4. Click Add at the top of the screen and create the Address Objects for the Local site networks (if they do not exist), the translations of the local site networks, and the translations of the remote site's networks.  You should have a minimum of 6 address objects (more if you are translating for more than 2 network overlaps).

      EXAMPLE: In the Example below, we are configuring the SonicWall Appliance as though we are at Site B (San Jose).

       ImageImage
      ImageImage
      ImageImage

    5. Access the Address Groups Tab and click Add at the top of the screen to create new groups for the Translated Local Networks and the Translated Remote Networks.
      Image
      Image

    6. Navigate to Rules | NAT Policies.
    7. Click Add at the bottom of the page to create new NAT policies for each of the local networks needing to be translated.

      NOTE: While our example only has two networks being translated, your network may require more NAT Policies than what we display below.

       The format for the NAT policies will be as follows:
      Outbound NAT policy
      Original Source: Local Network
      Translated Source: Local Network Translation
      Original Destination: Remote Network Translation (Group)
      Translated Destination: Original

      Inbound NAT policy
      Original Source: Remote Network Translation (Group)
      Translated Source: Original
      Original Destination: Local Network Translation
      Translated Destination: Local Network

      EXAMPLE: Screenshots included below for our examples of the 2 Inbound and 2 Outbound NAT policies needed for the case study.

       ImageImage
      ImageImage
      Image

    8. Navigate to VPN | Base Settings.
    9. Click ADD to create your new VPN
    10. On the General tab, fill-in the Name, IPSec Primary Gateway Name or Address and Shared Secret fields.
      Image 

    11. On the Network Tab, select the Local Translated Address Group in the Choose local network from list field and select the Remote Translated Address Group in the Choose destination network from list field.
      Image
    12. On the Proposals tab, select the preferred settings for Exchange, DH Group, Encryption, Authentication, Life Time (seconds), Protocol, and Enable Perfect Forward Secrecy.
      Image

    13. Make the appropriate adjustments on the Advanced tab as necessary.

      NOTE: Ensure at least one side of the VPN has keepalive enabled to keep the tunnel active.
       Image

    14. Click OK.
    15. Confirm that the VPN is active by seeing a green circle appear next to each of the network destinations on the VPN | Settings page.  

      NOTE: You may need to refresh the page for the settings to take effect.  This can also be tested with a ping from local to remote or remote to local.
      Image

    Related Articles

    • App Control fails by schema error when editing VPN category
    • How to remove 2FA for admin using CLI
    • 2FA authentication error using TOTP "Please try again later"

    Categories

    • Firewalls > SonicWall SuperMassive 9000 Series > VPN
    • Firewalls > SonicWall SuperMassive E10000 Series > VPN
    • Firewalls > TZ Series > VPN
    • Firewalls > NSa Series > VPN
    • Firewalls > NSv Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:d62c1600f02b62e6dd5d68769b847134-94