Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSec tunnel questions - non-RFC 1918 ip address

A client has requested an B2B vpn with our company.  I decided to use RV042 dual wan router on our end.

Our client wants us to use non-RFC 1918 IP address because they cannot route to RFC 1918 addresses for interesting traffic.

In our private network, we use RFC 1918 addresses. Do I need to change all our  IP addresses to non-RFC 1918 addresses in our internal network?

Appreciate your comments.

3 REPLIES

Normally, when setting up a

Normally, when setting up a policy-based IPSec VPN, NAT is disabled for the networks in the tunnel policy so that they can communicate as if they were on the same private network. This works well for internal VPNs, but not as smoothly for B2B/Extranet VPNs for the exact reasons you've given.

If you terminate the tunnel using the same IPv4 address that you use to source the VPN traffic and ensure that NAT remains enabled for the VPN, you should be able to use NAT and avoid having to re-address.

I haven't worked with an RV042 in a bit so I'm unsure if it has that flexibility, but that's the first angle I would pursue.

Community Member

Thanks for your reply.We

Thanks for your reply.

We terminated the VPN tunnel with a non-RFC 1918 ip address (203.x.x.x) to comply with the client company.  They want to make sure that interesting traffic is routed to a registered IP address. The IP address of the RV042 is still 192.168.1.2 while the VPN local group is set to 203.x.x.x.

For the RV042 to see the 203.x.x.x network, I added 203.x.x.x in the Multiple Subnet Setting in the RV042.

In our network, we have 2 routers (192.168.1.1 and 192.168.1.2) connected on the same switch. We use 192.168.1.1 as the default gateway and DHCP server. We can also use 192.168.1.2 if I manually configure it on the workstation.

I was thinking of adding a static route to our workstations to use 192.168.1.2 to go to the 203.x.x.x VPN tunnel. I am not sure if this will work but I want to know if I am on the right track.

I am also not sure on how the Multiple Subnet Setting works on the RV042.

Will these make me avoid changing our LAN IP addresses to 203.x.x.x?

 

 

 

 

 

I would put the route on the

I would put the route on the 192.168.1.1 router with 192.168.1.2 as the gateway. This saves you from reconfiguring all of the workstations. When they send a packet to their default gateway, they will either get an ICMP redirect to the correct router or the default gateway router will manually reroute the traffic depending on the configuration.

As long as the RV042 is performing NAT on the VPN traffic, which it should be doing if everything is terminating on its external IPv4 address, there should be no need to renumber anything internally... but it's worth testing first, of course.

285
Views
0
Helpful
3
Replies
CreatePlease to create content