Not sure about what everyone else is recommending but our solution (with
several hundred B2B tunnels now) was simply to make it policy NEVER to
run 1918 address space in the tunnel. We usually tell peers that they
must provide public IP space which will then be NATted on our side. We
also have a block of our own ARIN space that we sometimes use. Either
way, it's always tunneled and NATted and never seen anywhere else. Extra
config? Yes. Sanity? A little.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 08/12/2011 02:53 PM, Brent Roberts wrote:
I am looking for the best way to get around IP conflicts (On the Far Side)
in fully redundant Hardware solution. I am working in a large Scale Hosted
application environment and every 5th or so customer has the same RFC1918
Address that every other small shop has. I have a Pair of ASA 5520's (SEC-K9
8.2(2) in A/S) and it seems that I am either missing something or it may not
be possible due to IPSEC priority. I typically use the SET-Reverse Router
and redistribute static via OSPF to the L3 Core.
I was thinking about moving to a 6509 with redundant sup720's and using
IPSEC AWARE VRF's (1x 7600-SSC-400/2xSPA-IPSEC-2G) to get around this
limitation. Any feedback on this idea. Negative/Positives of this setup? I
am only looking to move about 100 meg aggregate of IPSec Traffic.
Thoughts welcome on and off list.
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
