Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
0
Helpful
1
Replies

ASA VPN that does NOT use RFC-1918 addresses

clarke
Level 1
Level 1

‎05-22-2012 07:56 AM

We've never had a problem setting up ASA to ASA or ASA to PIX vpn site to site tunnels using RFC-1918 addresses ( 10.x.x.x usually ).  Now we have a customer ( a hospital ) that requires a public non-RFC1918 address to be presented to them.  Since the addresses that we send are routable, they get routed through the internet instead of going through the tunnel.  How do we fix this?  Here's the boiler plate from the customer:

"Important Note: The following information is to be used as a guideline in setting up a VPN connection between XXXX and your organization. Currently, XXXX supports only site-to-site VPN’s and all partners MUST present valid registered public IP addresses through the VPN tunnel.XXXX is unable to accept RFC-1918 addresses (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).  We do not support PPTP, L2TP, or client VPN connections through a dialer application."

I was able to get a tunnel running between two ASA-5505 units using a public class C address that is currently not routable.  How do I get this to work with a routable address?  The tunnel will be carrying patient data and is basically a single server to single server link.  It needs AES-256 and SHA-5 encryption but that shouldn't be a problem.  The hospital is using a PIX, we are using an ASA-5510 with Security Plus license.  We also have a couple of ASA-5505 units with base license to test with.

Labels:
0 Helpful
1 Reply 1

Kevin P Sheahan
Level 5
Level 5

‎05-22-2012 08:19 AM

You can set this up the same as you would the other L2L tunnels that use private addressing. You'll need to no-nat the public addresses that you're using. You'll still have a public 'peer' address on both ends and that is what will be used to build the tunnel. When you specify the other public addresses in your 'interesting traffic' ACL and attach it to your crypto map it will tunnel that traffic, so you don't need to worry about them routing like normal on the internet.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful
Customers Also Viewed These Support Documents