VPN Ping – Establishing Connection Between Devices in Different Subnets

pingvpn

I have a problem regarding routing between two subnets.
Here is how the structure of my company network looks like:

There's a subnet that has an IP: 172.16.218.0 (which is company's main network connected directly to the internet through the router)
Second subnet would be the network with the IP: 192.168.0.0
Between the network 172.16.218.0 and 192.168.0.0 there's another router (router 2), which is used for VPN-connection with devices in the network 192.168.0.0 (remote access from outside the company network).

Now there's a device (device 1 – virtual server) in the network 172.16.218.0, which need to exchange the data with another device (device 2 – Siemens PLC) in the network 192.168.0.0 via so called OPC-Server (used mainly in industrial automation). Ideal situation would be that these two devices were in the same subnet, but unfortunately that's not the case.

I had trouble to configure the router 2, so it would work as VPN-interface and at the same time would allow data exchange between device 1 and device 2.
I have added the route using "add route" command but it didn't work (route between device 1 and 2).

My idea was to configure yet another router (router 3) between device 1 and device 2 and establish VPN connection between them. Before I do that, I wanted to ask if that all makes sense.

Edit: to be more specific: I added a picture in which you can see how the structure of the network looks like.
– Devices on the subnet 1 are getting IP-Adresses via DHCP.
– Devices on the subnet 2 are getting static IP-Addresses.
– Router 1 is used to get an access to internet.
– Router 2 is used to make a tunnel for a remote access to devices on the subnet 2 from outside subnet 1 and subnet 2 (via Internet).
– Device 1 and Device 2 need to communicate somehow (there is an OPC-Server running on the device 1).
– OPC-Communication works perfectly if the Device 1 and Device 2 are on the same subnet.
In the configuration of the OPC-Server (Device 1) we can set the IP-Address of the slave (Device 2) and the communication should already work (assuming we are on the same subnet). Here it's more complicated as they are on two different subnets.
– Router 2 is configured using mbConnect24 (Web Client) and router itself is an industrial router (mbNET). In the configuration there're two main aspects – LAN-Address for subnet 2 (192.168.0.0), let's say 192.168.0.100 and WAN address via DHCP. Configuration of this router is loaded to the device using mbConnect24 Portal.
– Now the question is – how to configure that network that Device 1 and 2 can exchange data?

That you for your help.

Best Answer

Ideally, all routers need to know the routes to each subnet.

Router 1

subnet 1 (directly attached)
subnet 2 via router 2
route to main network
default route to Internet (if not via main network)

Router 2

subnet 1 (directly attached)
subnet 2 (directly attached)
default route via Router 1

Obviously, nodes on subnet 1 need to use Router 2 to communicate with subnet 2, either by having an explicit route or by using Router 2 as default gateway (which would need to handle traffic destined for everything behind Router 1 as well).

If Router 1 cannot learn the subnet 2 route then no device within that subnet can use any route across that router. A solution is to source NAT that subnet on Router 2 - this creates the problem that you cannot connect into subnet 2 from anywhere else. You can work around that using destination NAT / port mapping but this is where it gets really ugly.

If there's a VPN tunnel on Router 2 leading elsewhere (you aren't clear on this) the nodes behind that tunnel have the same problem as those on subnet 2.

Basically, you need to get Router 1's routing table updated, either statically or by a routing protocol like OSPF.

Related Solutions

Cisco Router Switch VPN NAT – Static NAT Source and Destination on Router

To test your scenario I set up the following lab:

NAT topology

The 10.0.0.0/24 network is your -RangeOfIPs-

When traffic comes from 10.0.0.0/24 it will be NATed to 192.168.0.21. Traffic sourcing from 192.168.0.114 will be NATed to 10.1.1.21.

Configuration:

R3(config)#int f0/0
R3(config-if)#ip nat outside
R3(config-if)#int f0/1
R3(config-if)#ip nat inside

The above commands define the interfaces as outside and inside.

R3(config)#ip nat inside source static 192.168.0.114 10.1.1.21

This command translates the inside local address of 192.168.0.114 to an inside global address of 10.1.1.21.

R3(config)#access-list 1 permit 10.0.0.0 0.0.0.255

This access-list will define which hosts on the outside that will get NATed.

R3(config)#ip nat pool NAT_POOL 192.168.0.21 192.168.0.21 netmask 255.255.255.0

We create a NAT pool consisting of a single address.

R3(config)#ip nat outside source list 1 pool NAT_POOL add-route

Then we configure so that hosts matching access-list 1 will get NATed to 192.168.0.21.

It is important to configure add-route here or to add a static route because when doing inside to outside NAT, NAT takes place before routing in the order of operations. That means that R3 must have a route for 10.1.1.21.

R3 now has the following NAT table:

R3#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.0.21       10.0.0.1
--- 10.1.1.21          192.168.0.114      ---                ---

Note that R4 has configured with an IP and ip routing turned off to emulate a host. Debugging of ICMP on R1 is enabled and debugging of ip nat on R3 is also enabled.

R1#debug ip icmp
ICMP packet debugging is on

R3#debug ip nat 
IP NAT debugging is on

A ping is then issued from R1:

R1#ping 10.1.1.21 so f0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.21, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/104 ms
R1#
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1

Debug and NAT table from R3:

NAT*: s=10.0.0.1->192.168.0.21, d=10.1.1.21 [15]
NAT*: s=192.168.0.21, d=10.1.1.21->192.168.0.114 [15
NAT: s=192.168.0.114->10.1.1.21, d=192.168.0.21 [15]
NAT: s=10.1.1.21, d=192.168.0.21->10.0.0.1 [15]

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.0.21       10.0.0.1
icmp 10.1.1.21:3       192.168.0.114:3    192.168.0.21:3     10.0.0.1:3
--- 10.1.1.21          192.168.0.114      ---                ---

I think that this is the kind of configuration you are looking for.

However, note that there is a caveat because there is no overload (PAT) available for outside to inside translation. That means that as soon as one of your hosts communicate with 192.168.0.114, there will be no free IP's in the pool. What you can do is to increase the pool size so that you reserve maybe 10 IP's that are only used for NAT.

VPN Connection Between Two SonicWall Devices

According your last log, not even Phase 1 is established because both sides of tunnel got a timeout.

I would suggest to make a packet capture to find where the packet is stopping. You should filter in each device with public ip as filter. I suggest three scenarios:

The (returning) traffic is dropped at the firewall. You will see a red line with a drop code.
There are no returning traffic. Some device is dropping IKE packets in the middle.
You see normal returning traffic. There are another problem in your tunnel config.

Best Answer

Related Solutions

Cisco Router Switch VPN NAT – Static NAT Source and Destination on Router

VPN Connection Between Two SonicWall Devices

Related Topic