Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1288
Views
0
Helpful
8
Replies

Use Public IP as Local Encryption Network

ementzer7
Level 1
Level 1

‎03-06-2012 07:23 AM

Hello All,

We have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA.  We have multiple VPNs on this firewall. 

The issue with the latest one is they require a Public IP as the Local Encryption Network.  I've seen this question a couple times while searching but never really a definitive answer.

Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient?  Or would this not work at all?

Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66.  Would using X1.X1.X1.64/28 as the local encryption network make the connection?  Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?

Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would help over command line).

Thanks all in advance,

Eli

Edit:  Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool.  And make that our Local Encrypted Network?  I think this might be it, but could it cause IP overlapping?  Our webserver is part of this and I'm worried about causing connection issues.

Thanks again...

Labels:
0 Helpful
8 Replies 8

ementzer7
Level 1
Level 1

‎03-07-2012 06:42 AM

Any thoughts?  Even short Yes/No answers will be helpful!

Thanks

0 Helpful

hobbe
Level 7
Level 7

‎03-07-2012 07:23 AM

Hi

IF I am not misunderstanding you, what you are asking is regarding IPSEC host endpoints (not tunnel endpoints) when you are connectiong up to a partner network via ipsec or they are connectiong to you. ie the addresses that is sending/recieving the traffic you want to encrypt to and from.

This is normal operations if you are a big company that are talking to many other big companies.

Then you are tripping over the same network information, ie the same networks.

To avoid that problem you can use Internet ip address endpoints instead of RFC1918 compliant ip address endpoints.

This however can be problematic when you change ISP and "must" change your Internet provided addresses via the vpn also.

So yes this is a viable solution if you have many addresses, if you do not then you are stuck with natting twice and similare technology.

OR as i have seen other companies do, simply find out something that you will never be interested in reaching, such as a small tirecompany halfway around the globe and simply just use their addresses.

This will ofcourse mean that the addresses you are using are not yours but that does not matter since you are not interested in ever visiting them anyway, and the same needs to be true for the partner.

However it is possible that the small tire company goes out of bussiness and its ipadresses is reused for a company that you or your partner ARE interested in going to. This is bad bussiness and is to be avoided, but as i said earlier i have seen it beeing done.

Remember that the ip addresses you are using for the VPN will have problems to be reached over the Internet from your customers that you have the vpn with since they are used in the vpn.

So it would be a bad idea to use a part of the network that you have your mail or webserver installed in.

Hope this gives you more to think about.

Good luck

HTH

0 Helpful

ementzer7
Level 1
Level 1
In response to hobbe

‎03-07-2012 11:41 AM

Thank you for the reply HTH,

Yes, you are right on the money.  The public IPs must be used as the addresses that are sending/receiving encrypted traffic.  We have a small amount of public IP addresses, and all of them are used.  Our Web server is what the VPN is being setup for (report ordering).

Sounds like we could just use the X1.X1.X1.64/28, which is our Public Subnet ID as the "Local Network", would you agree?

Our Web and Mail server are in this address block, could routing issues occur because of this, or only to the shop we are VPNing with?  Unless we make a couple Static Policies?

Thanks again for the help!

Eli

0 Helpful

hobbe
Level 7
Level 7
In response to ementzer7

‎03-07-2012 02:10 PM

Hi

you can not use the external addressblock. or rather you can but it is realy very much not recomended

that would be problematic since your vpn tunnel is most likely one of those adresses right ?

You could use a part of it such as a /29 but not the part where the vpn is terminated.

but since it is so small to begin with I would recomend against it.

You do not want to have two systems with the same addresses to be accessed by the same systems.

if you fx use the same part as your mail server is in they (your partner) would have to make arangements so that some of their systems go through the vpn and som not when they try to access the same addresses.

If something goes wrong they will either loose the ability to

I am not saying it is not possible, it is, just that there are better ways such as double nat when it comes to that.

simply put, your external network is to small for you to consider this to be a good plan.

the external IP addresses are to valuable for other things comparing the hassle of double natting.

It is one thing that you can do something its another if you should.

Good luck

HTH

0 Helpful

ementzer7
Level 1
Level 1
In response to hobbe

‎03-12-2012 01:45 PM

Thanks once again!

Ok, hopefully my last question:

1. All of our Public IP addresses are in use (X1.X1.X1.65 - X1.X1.X1.78) with X1.X1.X1.64 and X1.X1.X1.79 as endpoints

2. Two of them will need to transfer encrypted data in the tunnel

So I create a subnet (internally) using the /30 subnet (X1.X1.X1.72 - X1.X1.X1.75), then NAT the appropriate IPs from the DMZ, to the remote network (the IPsec Remote Local Network), as X1.X1.X1.73 and X1.X1.X1.74 (even though X1.X1.X1.73 and X1.X1.X1.74 are being used to the outside)

Would that subnet interfere with the IPs of the public address that are being used?

Hope this make sense, please let me know what you think, and I'll clarify anything that needs it.

Thank you!

Eli

0 Helpful

ementzer7
Level 1
Level 1
In response to ementzer7

‎03-13-2012 11:46 AM

Or am I going to have to free up a couple Public IP addresses for use in NATing? Will I have to make sure X1.X1.X1.73 and X1.X1.X1.74 are not currently being used, and will that be my only option?

1. Create a small Subnet of Public IP addresses on ASA

2. Use that subnet as the local Network on IPSec tunnel

3. NAT from DMZ to Destination and have the outside Translated address be a Public IP in the subnet that isn't already being used as a NAT'd address?

Is the above my only option?

Any thoughts would be greatly appreciated.

Thanks!
Eli

0 Helpful

ementzer7
Level 1
Level 1
In response to ementzer7

‎03-14-2012 07:01 AM

Any thoughts...anyone?

0 Helpful

ementzer7
Level 1
Level 1
In response to ementzer7

‎03-22-2012 11:03 AM

Bump

0 Helpful
Top