[c-nsp] IPSEC sanity check
Justin M. Streiner
streiner at cluebyfour.org
Sun Jan 23 19:38:00 EST 2011
A company I occasionally do some work for (Company A) wants to build a
site-to-site VPN to another company's (Company B) network. By itself,
that's not too big of a deal, however, the Company B is requiring
that the host(s) from Company A that are tunneled through the VPN have
globally routable IP addresses, or at least NAT to globally routable
addresses.
The way the Company A's network is designed today, the only globally
routable addresses that are in use today are for NAT, and the outside
addresses on their firewalls. The firewall in question is an ASA 5510
running just an inside and outside interface - no DMZ.
The only options I can think of without having to re-design a chunk of
Company A's network would be:
1. Use the tunnel endpoint address on Company A's firewall as the address
that gets tunneled. While I haven't gotten a definitive answer from
Cisco, my gut tells me that would not work.
2. Create a static NAT to an unused address on their outside network and
use that as the tunneled host. I have reason to believe that won't work
either.
3. Land this VPN on Company A's external router (a Cisco 2801), rather
than the ASA. That should allow them to use the NAT'd outside interface
on the firewall as a tunneled address without problems. The router might
need a code/license upgrade to handle the IPSEC, but the more I think
about it, the more this seems like the least kludgey solution.
I'm open to ideas though...
jms
More information about the cisco-nsp
mailing list