[c-nsp] best way to get around IPSEC subnet Conflicts.

-Hammer- bhmccie at gmail.com
Mon Aug 15 17:38:37 EDT 2011


Not sure about what everyone else is recommending but our solution (with 
several hundred B2B tunnels now) was simply to make it policy NEVER to 
run 1918 address space in the tunnel. We usually tell peers that they 
must provide public IP space which will then be NATted on our side. We 
also have a block of our own ARIN space that we sometimes use. Either 
way, it's always tunneled and NATted and never seen anywhere else. Extra 
config? Yes. Sanity? A little.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 08/12/2011 02:53 PM, Brent Roberts wrote:
> I am looking for the best way to get around IP conflicts (On the Far Side)
> in fully redundant Hardware solution. I am working in a large Scale Hosted
> application environment and every 5th or so customer has the same RFC1918
> Address that every other small shop has. I have a Pair of ASA 5520's (SEC-K9
> 8.2(2) in A/S) and it seems that I am either missing something or it may not
> be possible due to IPSEC priority. I typically use the SET-Reverse Router
> and redistribute static via OSPF to the L3 Core.
>
>
>
> I was thinking about moving to a 6509 with redundant sup720's and using
> IPSEC AWARE VRF's  (1x 7600-SSC-400/2xSPA-IPSEC-2G) to get around this
> limitation. Any feedback on this idea. Negative/Positives of this setup? I
> am only looking to move about 100 meg aggregate of IPSec Traffic.
>
>
>
> Thoughts welcome on and off list.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>    


More information about the cisco-nsp mailing list