Re: [c-nsp] best way to get around IPSEC subnet Conflicts.

Mon, 15 Aug 2011 14:50:18 -0700 

On 8/15/2011 4:38 PM, -Hammer- wrote:
Not sure about what everyone else is recommending but our solution (with several hundred B2B tunnels now) was simply to make it policy NEVER to run 1918 address space in the tunnel. We usually tell peers that they must provide public IP space which will then be NATted on our side. We also have a block of our own ARIN space that we sometimes use. Either way, it's always tunneled and NATted and never seen anywhere else. Extra config? Yes. Sanity? A little. 

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 08/12/2011 02:53 PM, Brent Roberts wrote:

I am looking for the best way to get around IP conflicts (On the Far 
Side)
in fully redundant Hardware solution. I am working in a large Scale 
Hosted
application environment and every 5th or so customer has the same 
RFC1918
Address that every other small shop has. I have a Pair of ASA 5520's 
(SEC-K9
8.2(2) in A/S) and it seems that I am either missing something or it 
may not
be possible due to IPSEC priority. I typically use the SET-Reverse 
Router

and redistribute static via OSPF to the L3 Core.



I was thinking about moving to a 6509 with redundant sup720's and using
IPSEC AWARE VRF's  (1x 7600-SSC-400/2xSPA-IPSEC-2G) to get around this

limitation. Any feedback on this idea. Negative/Positives of this 
setup? I

am only looking to move about 100 meg aggregate of IPSec Traffic.



Thoughts welcome on and off list.

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


That's it.  Public space.  It pushes all the nasty stuff out to the edge 
companies.


tv
_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






















					Reply via email to