Use Public IP as Local Encryption Network

[fuseven]

Hello All,

First post, have always used this forum as a great reference to troubleshoot issues, now I have an issue worthy of posting.

As the subject states, I need to use public IP addresses as the Local Encryption Network for an IPSec VPN.

We have a small Public IP address block X.X.X.64 - X.X.X.79, and all are currently being used (NAT'd to).

I have been working on this for a while and I figure I need to make a small internal subnet (/29) out of the Public IP addresses, so X.X.X.72 - X.X.X.79

I can then define the X.X.X.72/29 subnet as the Local Encryption Network.

Where I'm stuck is how to define the IPs coming from the DMZ to these addresses. Since my Public IPs are in use, defining IPs as these Public IP addresses (Having local IPs translated to Public IPs that are already NAT'd to) is causing an overlap error. Is there a way around this, or do I need to free up a couple Public IPs in order to NAT this information out?

Please let me know what you think and if any further clarification is needed.

Thank you in advance for the help!
E

 

[SweetRevelation]

It's an interesting question, mine is why exactly do you need to use Public IPs?

 

[fuseven]

haha, that's a great question and was my first to them. Apparently that helps them keep tabs on which network is making the connection...I didn't really care for the explanation but what can you do?

So any thoughts on how to accomplish?

Thanks!

 

[fuseven]

I already have the two needed IPs NAT'd to public IP addresses, so if I make an internal subnet of Public IPs (which will be my local network), that encompass the addresses that the DMZ IPs are already NAT'd to, in theory it should work?

I shouldn't have to specifically create a NAT entry from the DMZ to the Public IP with the Destination (the Remote Network) since it's already NAT'd as the IP to the outside interface.

I'm not sure I'm being clear but please have a read through and let me know what you think.

Thanks!