We are trying to create a VPN tunnel between routers. The only problem being that the ISP at one site does not advertise the external interface ip address of the router. This apparently is standard practice for some ISPs. The problem being that if we cannot see the outside interface of the router, then the endpoint for the VPN cannot be reached.
Not really, each endpoint needs to contact the other side to build the tunnel.
I presume the inside users behind this router are not using NAT/PAT, so does that mean they have valid global addresses on their inside network (and on the inside interface of the router)?
If so, you can build a tunnel to this inside interface assuming the other router can reach that. Just set the peer address on the other router to the inside IP address of this router, then on this router use the command:
> crypto map local-address
Then it'll source all its crypto packets from the inside address rather than the outgoing address.
The users on the inside of the router will be on a private address space, say 10.1.0.0. / 16
The router will need to provide NAT to a couple of internal machines, 10.1.0.10 & 10.1.0.11/ 16 for PROXY and EMAIL access. All other traffic will be local or passing down the VPN tunnel to the 10.2.0.0 /16 network.
I have a number of global ip addresses to use for internet access (NAT) and to create my VPN tunnel.
The internal router interface (clients default gateway) will be 10.1.0.1 /16
Can I also give this interface a secondary ip address using one of my global ip addresses (say 18.104.22.168) and use this secondary ip address on the internal interface as my VPN endpoint ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...