VPN using Globally Routable Addresses

Answered Question
Dec 18th, 2008

Hi,

We need to setup a site to site VPN with a customer who will not allow us to use RFC1918 addresses for our end point source / destinations.

As a result we have been asked to NAT these devices into our globally assigned Internet block.

My question is, will this work ?

Our Cisco ASA's terminate the VPNs and connect directly onto the Internet using a /27 block provided by our ISP.

If we NAT the inside devices that need to be protected over the VPN into this block and then included these NAT'd addresses in the crypto map ACL's will this work ?

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 11 months ago

Chris

Yes it will work and how you have described it is exactly how you set it up - eg.

inside network 192.168.5.0/24

Natted Public address - 195.166.77.10

remote network - 172.16.5.0/24

your crypto map access-list would read

access-list vpntraffic permit ip host 195.166.77.10 172.16.5.0 255.255.255.0

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 12/18/2008 - 09:15

Chris

Yes it will work and how you have described it is exactly how you set it up - eg.

inside network 192.168.5.0/24

Natted Public address - 195.166.77.10

remote network - 172.16.5.0/24

your crypto map access-list would read

access-list vpntraffic permit ip host 195.166.77.10 172.16.5.0 255.255.255.0

Jon

cbeswick Tue, 12/23/2008 - 00:56

Thanks for your reply Jon. We haven't tested it yet, but this gives me some confidence that at least it "should" work :)

Jon Marshall Tue, 12/23/2008 - 04:13

Chris

Thanks for the rating and if it doesn't work i'll come up to Manchester and help out :-)

Jon

Actions

This Discussion