×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSec tunnel questions - non-RFC 1918 ip address

Unanswered Question
Oct 15th, 2014
User Badges:

A client has requested an B2B vpn with our company.  I decided to use RV042 dual wan router on our end.

Our client wants us to use non-RFC 1918 IP address because they cannot route to RFC 1918 addresses for interesting traffic.

In our private network, we use RFC 1918 addresses. Do I need to change all our  IP addresses to non-RFC 1918 addresses in our internal network?

Appreciate your comments.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jody Lemoine Wed, 10/15/2014 - 22:41
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

Normally, when setting up a policy-based IPSec VPN, NAT is disabled for the networks in the tunnel policy so that they can communicate as if they were on the same private network. This works well for internal VPNs, but not as smoothly for B2B/Extranet VPNs for the exact reasons you've given.

If you terminate the tunnel using the same IPv4 address that you use to source the VPN traffic and ensure that NAT remains enabled for the VPN, you should be able to use NAT and avoid having to re-address.

I haven't worked with an RV042 in a bit so I'm unsure if it has that flexibility, but that's the first angle I would pursue.

emram07931 Sat, 10/18/2014 - 16:45
User Badges:

Thanks for your reply.

We terminated the VPN tunnel with a non-RFC 1918 ip address (203.x.x.x) to comply with the client company.  They want to make sure that interesting traffic is routed to a registered IP address. The IP address of the RV042 is still 192.168.1.2 while the VPN local group is set to 203.x.x.x.

For the RV042 to see the 203.x.x.x network, I added 203.x.x.x in the Multiple Subnet Setting in the RV042.

In our network, we have 2 routers (192.168.1.1 and 192.168.1.2) connected on the same switch. We use 192.168.1.1 as the default gateway and DHCP server. We can also use 192.168.1.2 if I manually configure it on the workstation.

I was thinking of adding a static route to our workstations to use 192.168.1.2 to go to the 203.x.x.x VPN tunnel. I am not sure if this will work but I want to know if I am on the right track.

I am also not sure on how the Multiple Subnet Setting works on the RV042.

Will these make me avoid changing our LAN IP addresses to 203.x.x.x?

 

 

 

 

 

Jody Lemoine Sat, 10/18/2014 - 17:45
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

I would put the route on the 192.168.1.1 router with 192.168.1.2 as the gateway. This saves you from reconfiguring all of the workstations. When they send a packet to their default gateway, they will either get an ICMP redirect to the correct router or the default gateway router will manually reroute the traffic depending on the configuration.

As long as the RV042 is performing NAT on the VPN traffic, which it should be doing if everything is terminating on its external IPv4 address, there should be no need to renumber anything internally... but it's worth testing first, of course.

Actions

This Discussion