My customer has SonicWALL firewalls at all 16 of their sites (except one, which we won't get into) and they all have site-to-site VPN connections back to their corporate office. Each site also has a Summit phone system, and they would like to be able to use the 4-digit extensions to make/transfer calls between the sites.
The issue I'm running into is how to route traffic from Site A, through the VPN to Corporate, then to Site B. The SKU of SonicWALLs at the locations don't support enough site-to-site VPN connections to create 16 VPN tunnels on every unit and build a giant spider topology, and upgrading all of their routers would be cost-prohibitive. I believe I can accomplish this with static routing, but I've tried a few methods and haven't been able to get it to work.
My first attempt was to add all of the remote LAN subnets to the destination field of the VPN, and as such all traffic for any remote subnet would get routed through the VPN to corporate, which would handle routing it to the appropriate site. I set this up with only a few of the sites and tested on those sites, and wasn't able to ping through corporate from site A to B.
My current setup (that isn't working) is a static route on Site A as such:
Source - LAN Subnet
Dest - Site B (10.10.x.0/24)
Gateway - Corporate Sonicwall LAN IP (10.10.10.1)
Metric - 19 (All others are 20)
and a static route on site B as such:
Source - LAN Subnet
Dest - Site A (10.10.x.0/24)
Gateway - Corporate Sonicwall LAN IP (10.10.10.1)
Metric 19 (All others are 20)
Logically this makes sense to me, as it would forward traffic for Site A to the corporate sonicwall which already knows the remote sites LAN subnets and can route normally to them. The Sonicwall at Site A would receive and process the traffic like LAN traffic, and the response to Site B would use the static route to go back through corporate and get forwarded back to site A.
I would really appreciate some assistance on this. I have a feeling I need to create a tunnel interface rather than a site-to-site VPN, but I'm not certain.
Thanks in advance!
No comments:
Post a Comment