VPN Public/Private IP Issue

[vpn99999]

Using an ASA setup with 3 site-to-site tunnels (oddly another fellow on this board had a similar setup but I am not him!). 2 of the 3 work great and we have no problems sending data back and forth. The third little bastard is causing me nothing but frustration.

The problem child won't allow my internal IP's on their side so they mandate that I assign my internal network Public IP addresses. So I need to get data going though my 192.x.x.x but have them think that it's coming from my public "internal" ip scheme. Any help is appreciated on how I can tackle this (if it's possible).

Thanks

 

[burtsbees]

What? A public scheme is private...
What exactly do you mean that their side won't let your private IP addresses?

Burt

 

[vpn99999]

I suppose I agree that a public scheme is private to me (assigned by my ISP). However I am referring to my internal scheme of 192.x.x.x not being equal to the ip range they want my traffic coming in from 129.x.x.x for example. Interally I have 192.x.x.x remember, so in the router I need to get requests coming 192.x.x.x to look like requests coming from 129.x.x.x for this specific tunnel. I don't want to have to change my internal scheme.

Thanks for your input.

 

[burtsbees]

NAT would normally do the trick, but in a VPN tunnel that won't work. I still don't understand why their end needs this---once the tunnel is established, you should be ON their network, so it would be like NATting to yourself...I guess I am missing what you need...

Burt

 

[vpn99999]

From what I was told is they use the same ip naming we do and we'll have collisions... so that would be the reason

Thanks

 

[burtsbees]

You mean conflicts? That is a very odd and convoluted solution. You won't have conflicts if you put the vpn pool on a different subnet, which is how they are usually done. I myself put my remote access vpn pool in the same subnet as my LAN since I only use about 15 addresses in my LAN.

Burt

 

[brianinms]

With a site to site vpn it is very common for companies to mandate that your source network is a public ip address. The terminology is called "outside nat for overlapping networks" and its pretty common. What vpn device are you using on your end?

 

[vpn99999]

On my end it is a Cisco ASA 5505. I'm willing to pay for some help on this one so if you think you can do it remotely - or guide me on the phone we can surely work something out.

 

[brianinms]

Here is the document from cisco how to configure it. If you have the site to site vpn part down, this isn't much different.

http://www.cisco.com/en/US/products...s_configuration_example09186a00808c9950.shtml

 

[vpn99999]

Brian - thanks for the link but that isn't what I need. That article describes two internal networks meshing together over the tunnel. What I need them to see is my External IP's (129.X.X.X) on the other side of the tunnel. Not my internal (192.X.X.X). They won't allow for the configuration of my internal addresses. That article would leave my originating IP address of 192.x.x.x in tact.

 

[brianinms]

You can use that configuration and nat your internal Ips to any public ip address you want. Its really the same principle.

 

[vpn99999]

I can't get it to "go" though. I'm serious about my offer if you know how to get that setup going contact me rick dot czajkowskyj at gmail dot com - I have no issue paying you for the help.

 

[Jack1313]

Hi name is Jack I am an Australian living and working in Bangkok but would like an IP address in New Zealand for business purposes my friend’s sister lives there but is not computer literate. So to get an internet account and a solution that could so to speak “plug and play” would be good to hear. I thought about a proxy server probably not reliable also thought about a VPN tunnel... So would love to hear from you maybe you have a better solution.

Kind Regards

Jack

 

[burtsbees]

I would start a new thread rather than piggy-backing on this one...

Burt