Creating a VPN Tunnel without RFC1918 subnets

Answered Question
Nov 12th, 2009
User Badges:

Hi All,

I've been asked to configure a Cisco router to one of our partners using a method I'm unfamiliar with. Hence I'm hoping someone from here can guide me in the right direction. Essentially the set up needs to be like this:

At one end there is a firewall with an IP address of (all fake IP's). This is to be the VPN termination point. Behind this firewall is a server with a private IP address of This private IP is NAT'd to

Now at the other end is a VPN router with an IP address of This is the other VPN termination point. There is another internal server with IP address of I don't really want to create an external NAT for this internal IP address if possible.

Essentially I need to get and to communicate with each other over a VPN but NOT use their IP addresses in the VPN tunnel.

What is the best way to achieve this? Any help would be much appreciated!


Correct Answer by Todd Pula about 7 years 6 months ago

This config should do the trick for you...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Todd Pula Thu, 11/12/2009 - 14:43
User Badges:
  • Silver, 250 points or more

You can use NAT to hide the source IP using an Internet routable address. You will then build the crypto ACL for the tunnel based on the post-NAT IP address. I had uploaded an example using PAT at the link below but you can also use static NAT in your case.^1%40%40.2cd3f992/2#selected_message

craig.juhas Fri, 11/13/2009 - 03:04
User Badges:

Thanks for that! I'll give it a try and let you know.


craig.juhas Fri, 11/13/2009 - 03:49
User Badges:

I have made a variation of the attachment from the other thread. What I'm looking to achieve with this is a VPN tunnel only using a publicly NAT'd IP address. Let me know if this makes sense and more importantly if it will work!

Correct Answer
Todd Pula Fri, 11/13/2009 - 07:42
User Badges:
  • Silver, 250 points or more

This config should do the trick for you...


This Discussion