VPN using Globally Routable Addresses

Answered Question
Dec 18th, 2008
User Badges:

Hi,


We need to setup a site to site VPN with a customer who will not allow us to use RFC1918 addresses for our end point source / destinations.


As a result we have been asked to NAT these devices into our globally assigned Internet block.


My question is, will this work ?


Our Cisco ASA's terminate the VPNs and connect directly onto the Internet using a /27 block provided by our ISP.


If we NAT the inside devices that need to be protected over the VPN into this block and then included these NAT'd addresses in the crypto map ACL's will this work ?


Thanks in advance.

Correct Answer by Jon Marshall about 8 years 6 months ago

Chris


Yes it will work and how you have described it is exactly how you set it up - eg.


inside network 192.168.5.0/24

Natted Public address - 195.166.77.10

remote network - 172.16.5.0/24


your crypto map access-list would read


access-list vpntraffic permit ip host 195.166.77.10 172.16.5.0 255.255.255.0


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 12/18/2008 - 09:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


Yes it will work and how you have described it is exactly how you set it up - eg.


inside network 192.168.5.0/24

Natted Public address - 195.166.77.10

remote network - 172.16.5.0/24


your crypto map access-list would read


access-list vpntraffic permit ip host 195.166.77.10 172.16.5.0 255.255.255.0


Jon

cbeswick Tue, 12/23/2008 - 00:56
User Badges:

Thanks for your reply Jon. We haven't tested it yet, but this gives me some confidence that at least it "should" work :)

Jon Marshall Tue, 12/23/2008 - 04:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


Thanks for the rating and if it doesn't work i'll come up to Manchester and help out :-)


Jon

Actions

This Discussion