Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1174
Views
35
Helpful
5
Replies

public IPs in lan to lan VPN encryption domain

jessica jestol
Level 1
Level 1

‎09-24-2019 03:11 PM

I have a vendor that I need to set up a site to site vpn with and they want me to use public IPs in the encryption domain. Can anyone explain why they would want to do this or if it offers any security benefits or weaknesses?

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎09-24-2019 03:21 PM

Hi,

I imagine they are probably natting on their end, thus hiding the real (private) ip address from you.

 

If you wanted to, you can restrict access to what that IP address can access, apply a VPN Filter.

 

HTH

bhargavdesai
Spotlight
Spotlight
In response to Rob Ingram

‎09-25-2019 01:00 AM

With agreement to our Expert RJI, I would like to add one more scenario where there may be overlapping private IP range used by the vendor or they may have multiple tunnels to different vendors, partners or customers that may be using same private IP address. Yes there is possibility double NAT but they want to avoid lot of complexity.

Generally when a vendor is having lot of VPN Tunnels with different vendors, customers, or partners for limited number of host in encryption domain, they would use Public IP address to avoid overlapping private IP address used locally and/or by other vendors, customers or partners.

HTH
### RATE ALL HELPFUL RESPONSES ###

Karsten Iwen
VIP
VIP

‎09-25-2019 06:31 AM

Another scenario is that you have a DMZ with a public IP network because the server in this DMZ needs communication to the internet without NAT. If this DMZ is accessed through the VPN, you have public IPs in your encryption domain.

 

But more likely, whenever accessing a public service through VPNs, the public IPs make sure there is no overlap with your own addresses.

jessica jestol
Level 1
Level 1
In response to Karsten Iwen

‎09-25-2019 08:45 AM

So, to elaborate on my initial question, my client is a hospital. I already have an ikev1 tunnel established to their older juniper SRX. After the Medstar ransomware incident, they started to beef up their security. They went and got themselves a shiny new fortigate and want to establish a new tunnel to that using route based ikev2. I already know what their private IPs are so I'm trying to figure out why they suddenly want to start using private IPs. We have a /28 at our datacenter that's only got a few usable IPs left so I don't want to waste them. I honestly can't see what security benefit they would gain by moving to public IPs.

bhargavdesai
Spotlight
Spotlight
In response to jessica jestol

‎09-25-2019 08:59 AM

Quick reply
Not sure about security benefit but may be manageability enhanced and to add more you can use the same IP for other VPN or host server and for internet access.


HTH
### RATE ALL HELPFUL RESPONSES ###
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card