[c-nsp] IPSEC sanity check
Jan Gregor
jan.gregor at chronix.org
Tue Jan 25 08:40:59 EST 2011
Hi,
> 1. Use the tunnel endpoint address on Company A's firewall as the
> address that gets tunneled. While I haven't gotten a definitive answer
> from Cisco, my gut tells me that would not work.
When you give this a deeper thought, this probably should work. Unless
the company B does the same thing, of course.
> 2. Create a static NAT to an unused address on their outside network and
> use that as the tunneled host. I have reason to believe that won't work
> either.
This works without any trouble.
> 3. Land this VPN on Company A's external router (a Cisco 2801), rather
> than the ASA. That should allow them to use the NAT'd outside interface
> on the firewall as a tunneled address without problems. The router
> might need a code/license upgrade to handle the IPSEC, but the more I
> think about it, the more this seems like the least kludgey solution.
Pain in the...
4., Ask the provider to give you an IP address in addition to the
adresses tha you already have. Then use this IP address for NAT (mean,
this IP addressess does not necessarilly need to be in your routing
table anywhere).
Best regards,
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110125/944bcbbe/attachment-0001.pgp>
More information about the cisco-nsp
mailing list