11-28-2006 03:53 PM - edited 03-11-2019 02:01 AM
I have a site to site VPN being set up between 2 515s, each running 6.3(5).
We have overlapping encryption domains (the servers we need to access at the remote location are in a network we already have locally defined).
How can I overcome this?
Servers at the remote site are exposed to the internet for public access.
I believe the cookie cutter solution is to create static translations for all the servers we need to access (to public IPs) and then our match list ACL just references the public IPs (after translations). Some of the servers at the remote site however are not internet facing and I would prefer to not have to A) use up public IPs with statics and B) not add translations to public IPs unless absolutely needed...(you know...defense in depth, another layer of security all that jazz...if someone adds a broad ACL by mistake it doesnt immediatly expose my internal servers if they dont have public translations in place).
Do I have any options?
I had this grand plan where I was hide-NATing traffic leaving my end and creating a network block static on the other end mapping the servers to a virtual non-routable network. Then I would hit these non-routable IPs that I made up to access the servers. Sadly I didnt look 2 steps ahead and realize this would preclude me from being able to add the public xlates required to expose these servers to the internet.
Any other ideas?
11-29-2006 06:16 AM
if you can upload a drawing of this, i'll get you going.
11-29-2006 07:52 AM
Would this help you.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
Gilbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide