Site-to-site VPN - Is it possible to have local network as public addresses?

Tony Zhou · ‎02-15-2017

Hello all,

I have been trying to set up a site-to-site VPN between my company A and another company B. For our end we're using an ASA 5525-X running IOS 9.4, and we have our internal network addresses 172.16.10.0/24 with gateway 172.16.0.1, netmask 255.255.0.0. Our ASA has a public IP of say 100.100.0.1.

Now we need to set up the S2S VPN with company B, and they are using a Cisco 7204VXR router with a public IP 200.200.0.100, however they insist to have their local network as 200.200.100.0/24 which is a public network. Currently, the tunnel was able to be established for ~30s, and then my ASA prompts "Lost service" and the tunnel is torn. Meanwhile, there is no traffic at all when the tunnel is established. (No Tx or Rx bytes).

I have tried to disable NAT-exempt for my site-to-site VPN configuration, however if that is disabled, the site-to-site VPN would not even establish at all.

Any help is greatly appreciated.

Thanks,

TZ

Philip D'Ath · ‎02-16-2017

You can have almost anything you like for the encryption domains, your public address space, someone else's public address space, private, etc.

Your Rx counter is not going up. That means either they didn't sent it successfully, or you didn't receive it successfully. So I would first start at their end, and make sure their Tx counter is going up. If not, they need to fix that first. You certainly can not get something they have not sent.

Tony Zhou · ‎02-16-2017

Thanks. Raised this issue to TAC and found that the other end's router has incomplete crypto maps which mistakenly matched our crypto map. Changing the priority of our crypto map works.