Configure Site to Site VPN with Public IP's?
Options
Hi - I need to extend public IP address over the VPN site to site. I have an NSG100 in a data centre and an NSG50 in the office.
I need to tunnel public static IP's via the NSG100 which is connected via WAN1 to our own public subnet - so that devices we configure in the office will work as if they were sat in our rack in the data centre.
When I configure these in the nebula for the two sites - I get an overlap, so I'm not sure how to resolve it.
I need to tunnel public static IP's via the NSG100 which is connected via WAN1 to our own public subnet - so that devices we configure in the office will work as if they were sat in our rack in the data centre.
When I configure these in the nebula for the two sites - I get an overlap, so I'm not sure how to resolve it.
Any advice very welcome.
0
All Replies
-
IMVHO traffic from NSG50 "LAN1" (my guess) to internet should be routed via IPSEC connection.
And someone should be resident into office knowing how to temporary disable that route if necessary.
IMVHO both forward and reverse routes should be configured on NSG100 and NSG50. And making mistakes is quite easy...0 -
I don't see any option to configure Site to Site VPN with IPSEC.
0 -
@Chris74
It seems your LAN setting has overlap, can you let me know how is your scenario looks like?
For instance:
LAN1(192.168.8.0/24)---NSG100===VPN===NSG50---LAN1(192.168.9.0/24)
On the other hand, are these 2 NSG in the same organization?Chris
0 -
Ok, thanks - the scenario is very simple...
I have 80.XX.XX.0/25 subnet via IP feed in a data centre. We run our live servers on those IP'sI have one NSG100 in the rack configured as 80.XX.XX.100We are originally using this as remote VPN - no problem there. But that's not what I'm asking about.
I have now purchased a second unit. NSG50 for our office. I want to configure it as site to site, so the devices in the office can be on the same public subnet as the servers in our rack.So I want to plug in a server into the NSG50 at the office and give it an IP address 80.XX.XX.105 for example so that we can configure it in the office before taking to the DC and installing.There are no private networks involved.In Nebula, these are configured in the same organisation as different sites.Hope that is clear.
0 -
@Chris74,
Are you going to configure the public IP on NSG50 or on server?
If it's the first case then just login to the NSG local GUI, in interface can set the IP.Chris
0 -
I'm sorry i don't follow what you're saying.I should explain that the office is using a standard broadband connection and the NSG50 is connected to this on the WAN port.I want to extend the network on the NSG100 over the site to site VPN so that I can plug a server into a LAN port on the NSG50 at the office - as if it was on the public subnet - as if the server is in the data centre.
I guess to answer your question, I would configure the public IP on the server.
0 -
May I know if your scenario looks like this? And the server's traffic will send through to the tunnel.
NSG100(80.x.x105)===VPN===(80.x.x100)NSG50--(LAN)server (80.x.x101)
If it is the case then it's not reasonable for usual case on s2s VPN, may I know why you need this application?Chris
0 -
I think that's exactly the case yes, except The NSG100 is configured with 80.x.x.100 on the WAN interface.I want to connect any server to a port on the NSG50 at the office and configure the server with 80.x.x.105 or 106 or 107 etc so it is sitting on the public network the same as the other servers in the rack in the DC.
The reason for this is so that we can configure a server in our office and test it working live - then someone non-technical will simply take the server to the data centre and fit it into the rack and it will work immediately without any further configuration.It also means that we can create a test environment here in the office so we can test different technologies and virtualisation products - then reconfigure / start again without having to travel to the DC and remove the kit to reinstall it.
0 -
@Chris74
Thanks for your information, however since all the participate device (server and wan interface) are in the same subnet therefore this scenario cannot wor (overlap and may have the routing issue), unless the server can located in the different subnet.Chris
0 -
Ok can you suggest another way to achieve it? I know some routers have VPN ability - so could I connect a router via ipsec to the NSG100 and use the ports on the router? Is this possible? Is there any way I can do this with Zyxel hardware or do i need to find a different product?
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
