Site to site VPN using public addresses on local network

russgunther · ‎07-29-2011

I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?

My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.

manish arora · ‎07-29-2011

Local lan network that you are using is RFC1918 , it is not globally routed. I am not sure on what level of site to site vpn you are doing , But for complete access , they will need your Public Ip on the asa and your LAN address ( which you have given already ) , you will also need the same info from the other end to configure your side of the Site2Site.

Manish

russgunther · ‎07-29-2011

Yes, they have my public IP and I have their information as well. However they cannot work with my local LAN subnet and are asking that I provide them public addresses for the local LAN. Without putting public IP addresses on my internal workstations is this even possible?

manish arora · ‎07-29-2011

is this site to site going to be for complete access to each other's LAN or is it going to be for certain server that they have exposed to the internet but need ipsec encryption ?

Manish

russgunther · ‎07-29-2011

limited hosts and ports. It is mainly one way for remote support of 2 servers. HTTPS and RDP.

manish arora · ‎07-29-2011

Russ,

I think you should ask them to provide you with more information on why they need Public IP's ? If its two servers only and they insist that they need public ip's , then you can always static nat your two machines , and then you can encrypt communication between public ip's using IPsec.

But then again I will again ask for explanation from the other end.

Manish