IPSEC between private and public range

Answered Question


I got a query from my customer,which made me to thought a bit.

A site to site VPN to be built.ASA 5510 at this end is doing it perfectly fine where some other site to site tunnel is working.

Now at the remote end,i don't know how there is some device having firewall/VPN capabilty.The public IP in the range is used in the internal network.

Would like to know is it possible;

1. Provide the public IP on the servers itself.If we consider cisco at other end what would be configuration?

2. Is that possible to create a VPN tunnel in this case?Seems as if interesting traffic defined can done.

Don't know what customer exactly wants,but he made to thought about this requirement.



Correct Answer by Jitendriya Athavale about 6 years 10 months ago

yes it is possible shouldnt be issues with that

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jitendriya Athavale Wed, 08/04/2010 - 00:03
User Badges:
  • Cisco Employee,

could you please elaborate more not sure if i understand your requirement correctly, can you please draw a simple topology diag

ram to illustrate

do you want to know if we can define interersting traffic as  public to private and vice versa

I believe Topology is something like this.

Internal network------(NAT/PAT)ASA1------IPSEC Tunnel-------ASA/FW(Remote End)-----------Remote network(Public IP range)

At remote end public IP are used behind the device.Seems Natting is not being done or exempted.Don't know exactly what have been at that end but remote network is having public ip termiting on the servers.

Two questions:

1. Is this type of topology possible?If yes, why to use IPSEC as publically servers are accessible.

2. You understood the second requirement correctly.i.e interseting traffic from private to public and vice-versa via IPSEC.



Jitendriya Athavale Wed, 08/04/2010 - 00:25
User Badges:
  • Cisco Employee,

they want to use ipsec probably because they want to encrypt traffic between your interna

l network and their servers having public ip... dunno why would they want tht...

or probabaly they might have another device behind the remote firewall doing the natting...


This Discussion