[c-nsp] best way to get around IPSEC subnet Conflicts.

Tony Varriale tvarriale at comcast.net
Mon Aug 15 17:49:12 EDT 2011


On 8/15/2011 4:38 PM, -Hammer- wrote:
> Not sure about what everyone else is recommending but our solution 
> (with several hundred B2B tunnels now) was simply to make it policy 
> NEVER to run 1918 address space in the tunnel. We usually tell peers 
> that they must provide public IP space which will then be NATted on 
> our side. We also have a block of our own ARIN space that we sometimes 
> use. Either way, it's always tunneled and NATted and never seen 
> anywhere else. Extra config? Yes. Sanity? A little.
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 08/12/2011 02:53 PM, Brent Roberts wrote:
>> I am looking for the best way to get around IP conflicts (On the Far 
>> Side)
>> in fully redundant Hardware solution. I am working in a large Scale 
>> Hosted
>> application environment and every 5th or so customer has the same 
>> RFC1918
>> Address that every other small shop has. I have a Pair of ASA 5520's 
>> (SEC-K9
>> 8.2(2) in A/S) and it seems that I am either missing something or it 
>> may not
>> be possible due to IPSEC priority. I typically use the SET-Reverse 
>> Router
>> and redistribute static via OSPF to the L3 Core.
>>
>>
>>
>> I was thinking about moving to a 6509 with redundant sup720's and using
>> IPSEC AWARE VRF's  (1x 7600-SSC-400/2xSPA-IPSEC-2G) to get around this
>> limitation. Any feedback on this idea. Negative/Positives of this 
>> setup? I
>> am only looking to move about 100 meg aggregate of IPSec Traffic.
>>
>>
>>
>> Thoughts welcome on and off list.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
That's it.  Public space.  It pushes all the nasty stuff out to the edge 
companies.

tv


More information about the cisco-nsp mailing list