We've never had a problem setting up ASA to ASA or ASA to PIX vpn site to site tunnels using RFC-1918 addresses ( 10.x.x.x usually ). Now we have a customer ( a hospital ) that requires a public non-RFC1918 address to be presented to them. Since the addresses that we send are routable, they get routed through the internet instead of going through the tunnel. How do we fix this? Here's the boiler plate from the customer:
"ImportantNote:The following information is to be used as a guideline in setting up a VPN connection between XXXX and your organization. Currently, XXXX supports only site-to-site VPN’s and all partners MUST present valid registered public IP addresses through the VPN tunnel.XXXX is unable to accept RFC-1918 addresses (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). We do not support PPTP, L2TP, or client VPN connections through a dialer application."
I was able to get a tunnel running between two ASA-5505 units using a public class C address that is currently not routable. How do I get this to work with a routable address? The tunnel will be carrying patient data and is basically a single server to single server link. It needs AES-256 and SHA-5 encryption but that shouldn't be a problem. The hospital is using a PIX, we are using an ASA-5510 with Security Plus license. We also have a couple of ASA-5505 units with base license to test with.
You can set this up the same as you would the other L2L tunnels that use private addressing. You'll need to no-nat the public addresses that you're using. You'll still have a public 'peer' address on both ends and that is what will be used to build the tunnel. When you specify the other public addresses in your 'interesting traffic' ACL and attach it to your crypto map it will tunnel that traffic, so you don't need to worry about them routing like normal on the internet.
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :