Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1287
Views
0
Helpful
4
Replies

Site-to-site VPN using non RFC1918 addresses inside the tunnel

dave
Level 1
Level 1

‎08-30-2013 10:07 AM

I'm curious.

We set up many site-to-site VPNs to customer sites so our analysts can work on customer systems.

I just got a request from a customer that they will not allow RFC1918 addresses (private space IP addresses) to traverse the tunnel. So I have to NAT the RFC1918 addresses that will traverse the tunnel to a public address before they enter the tunnel. This seems odd to me. Can anyone tell me why they would not allow RFC1918 addresses to traverse the tunnel between our side and their side ?

Thanks

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎08-30-2013 10:43 AM

Hi,

I would say that usually Private IP addresses/subnets are used in L2L VPN connections. And if there is overlap then usually another Private IP address/subnet is used as NAT IP addresses to mask the overlapping networks.

Its been a very rare occurance that the remote end would have actually demanded that Public IP address space would be used.

What the reason is I am not sure. It might be that they want to be 100% sure that there is no chance of address overlap now and in the future as you would be using unique IP addresses on the L2L VPN.

I can't think of a reason other than the one I mentioned above.

- Jouni

0 Helpful

dave
Level 1
Level 1
In response to Jouni Forss

‎08-30-2013 10:51 AM

Thanks for your reply Jouni.

     Yeah, I also thought it was because of the possibility of private address space overlap. But on our end of the tunnel I can adjust to whatever private address space is needed to avoid any overlap because this is a dedicated connection for just this one project. I'll pose the question to our customer on this project to see if he can explain the requirement.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to dave

‎08-30-2013 10:58 AM

Hi,

It might be a policy on their side so there is no other choice for the person in question. Or it might even be that all the connections so far have been configured in that way so they dont want to deviate from that way of doing things.

Every now and then I run into strange requirements from the remote side that dont seem to make sense. Most of the time I might accept it unless it goes against something on our end.

The actual setup of using public IP address on your side would not be a problem though. You can easily even use your WAN interface IP address as the source for all your tunneled traffic.

- Jouni

0 Helpful

dave
Level 1
Level 1
In response to Jouni Forss

‎08-30-2013 11:42 AM

That's a good point. I thought of using the WAN interface IP. But strange thing is he wants a one to one IP mapping of the  IPs that will traverse the tunnel. So if I have 10 analysts on my end needing to access systems on their end I have to take the local 10.x.x.x addresses and NAT them to 10 unique public addresses.

-Dave

0 Helpful
Customers Also Viewed These Support Documents