My subject isn't too clear, so let me describe what I'm looking to do. I'm not sure if it's possible.
I have an existing network setup here on 192.168.1.0/24, the PAN is .1 on Ethernet 0/2.
We are aquiring hardware from a sister company that is going to be eventually merged with us. I am going to put their gear on a separate VLAN, and wanted to dedicate a separate interface on the PAN to that gear. They have remote locations that are using IPSec VPN to get back to their equipment, so I am going to change the VPN tunnels to point back to my PAN and route the traffic over to their little segmented network. I would like to avoid making changes to their hardware and I want to leave their subnet alone. However, they are also using 192.168.1.0/24, and due to the VPN their remote sites are hard-coded to connect to specific IPs in that subnet (for Citrix, etc).
Is there some way I can mangle the traffic such that I can terminate their IPSec tunnels and have the traffic hit "their" 192.168.1.0/24 without it having any affect on "my" 192.168.1.0/24?
Here was my line of thinking...
Add a second "internet" interface, assign a single external IP from our static pool
Add a new internal / trusted interface for this sister company's equipment, assign it 192.168.1.1/24
Create a new virtual router for this setup, and put the above two interfaces in the VR
Setup IPSec tunnels and assign them to the same VR
Assuming I keep all of the traffic for the sister company in a separate Virtual Router, it shouldn't "conflict" or upset my traffic on my existing VR (also using the 192.168.1.0/24 subnet), correct?
I believe this will work - you can have overlapping IP space with separate VR's. The issue you may run into, though, is that you cannot have duplicate IP addresses directly assigned to interfaces on the firewall. Since both are using 192.168.1.1 you might run into an issue.
Well, if I have to change the IP for the "sister" network on the PAN that shouldn't be a major problem, as long as I can keep the subnet the same. It's only 4-5 servers and I can just change their default gateways to a new IP.
My biggest concern was that traffic would somehow get mis-directed, but if I'm using two separate VRs I don't really see how that would be possible.
The larger concern was that the remote VPN'd systems are all pointing back to individual IPs (I have no idea why they didn't use hostnames), so I'm stuck with the 192.168.1.x subnet for the sister company until we can hit all of the remote sites and change the computers to connect to Citrix via hostname/etc. Since we are going to have to do that when we transition their data onto our network anyway, I'd rather NOT have to change when the equipment is moved over here, only when we do the actual data migration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!