Creating a VPN Tunnel without RFC1918 subnets

Answered Question
Nov 12th, 2009

Hi All,

I've been asked to configure a Cisco router to one of our partners using a method I'm unfamiliar with. Hence I'm hoping someone from here can guide me in the right direction. Essentially the set up needs to be like this:

At one end there is a firewall with an IP address of (all fake IP's). This is to be the VPN termination point. Behind this firewall is a server with a private IP address of This private IP is NAT'd to

Now at the other end is a VPN router with an IP address of This is the other VPN termination point. There is another internal server with IP address of I don't really want to create an external NAT for this internal IP address if possible.

Essentially I need to get and to communicate with each other over a VPN but NOT use their IP addresses in the VPN tunnel.

What is the best way to achieve this? Any help would be much appreciated!


I have this problem too.
0 votes
Correct Answer by Todd Pula about 7 years 2 months ago

This config should do the trick for you...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Todd Pula Thu, 11/12/2009 - 14:43

You can use NAT to hide the source IP using an Internet routable address. You will then build the crypto ACL for the tunnel based on the post-NAT IP address. I had uploaded an example using PAT at the link below but you can also use static NAT in your case.^1%40%40.2cd3f992/2#selected_message

craig.juhas Fri, 11/13/2009 - 03:49

I have made a variation of the attachment from the other thread. What I'm looking to achieve with this is a VPN tunnel only using a publicly NAT'd IP address. Let me know if this makes sense and more importantly if it will work!


This Discussion