shugonaka
asked on
Site-to-Site VPN Peer IP Addresses
Hi, I have a question for VPN peer IP address. I have a block of public IP addresses I can use. One of them of course is assigned to the public facing interface on my firewall. I need to set up a half dozen site-to-site VPN on the firewall with external agencies. What is the pros and cons of using the interface IP address as the VPN peer IP address for all the VPN sites v.s. using the different public IP address for each individual VPN sites? I am thinking maybe using unique IP address for each VPN peer makes it is easier for tracing and troubleshooting issues, but that's just my random thoughts. Is there a set standard and reasoning as to how you should assign IP address when there are multiple VPN peers?
Also, when it is necessary to NAT the VPN encryption domain (interesting traffic) to a public IP address, is it recommended to use an IP address other than your VPN peer IP address? It seems like using the peer IP for NAT works just fine, but I was told once it's not recommended with no clear explanation.
Thank you in advance for your comments!
Also, when it is necessary to NAT the VPN encryption domain (interesting traffic) to a public IP address, is it recommended to use an IP address other than your VPN peer IP address? It seems like using the peer IP for NAT works just fine, but I was told once it's not recommended with no clear explanation.
Thank you in advance for your comments!
Les Moore
Depending on the firewall, I don't think you'll have a choice other than to use the IP assigned to the interface of the firewall. I know for certain that Cisco ASA will not do that.
There is no pro for using different IP addresses for each VPN tunnel. For organisation purposes it might make sense to use a common non-default public IP for all, though. But tracing works well without.
Since it usually adds complexity to the config to use a different IP for VPN tunnels, it is usually not worth the effort.
To the second part: Why would you want to NAT your private IPs to a pbulic IP inside of a VPN, for heaven's sake? You use private IPs, of course. You might have to NAT to a different network becauase of conflicts for source or destination, but as said you choose "internal" IPs, not public ones.
If you would apply NAT to a public IP, this coiuld make direct access to that public IP impossible. It is always best to NAT to unique IPs you do not need to access directly.
Since it usually adds complexity to the config to use a different IP for VPN tunnels, it is usually not worth the effort.
To the second part: Why would you want to NAT your private IPs to a pbulic IP inside of a VPN, for heaven's sake? You use private IPs, of course. You might have to NAT to a different network becauase of conflicts for source or destination, but as said you choose "internal" IPs, not public ones.
If you would apply NAT to a public IP, this coiuld make direct access to that public IP impossible. It is always best to NAT to unique IPs you do not need to access directly.
ASKER
@Les Moore, thanks for your comment. Our firewall is Cisco ASA, so I guess using the IP address that is not the outside interface for VPN peer is not an option.
@Qlemo, thanks for your comment. I've always used a private IP to NAT our internal network through a VPN tunnel. However, one of our external partner agency asked us to use a public IP for NAT'ing because they have so many internal network with various range of private IPs and did not want to have conflicts. It was the first time I had to set up a VPN with a public IP as a NAT mapped address. I was not sure if it'd work but it did. We also have another VPN with another agency and for this we are using our VPN peer IP address as the NAT mapped address per their request. I also was not sure if it'd work, but again it worked. These 2 VPN setups make me wonder what is the standard VPN setup people typically use and if there is pros and cons in them. I guess it's all depends on each agency's requirements and use-case.
@Qlemo, thanks for your comment. I've always used a private IP to NAT our internal network through a VPN tunnel. However, one of our external partner agency asked us to use a public IP for NAT'ing because they have so many internal network with various range of private IPs and did not want to have conflicts. It was the first time I had to set up a VPN with a public IP as a NAT mapped address. I was not sure if it'd work but it did. We also have another VPN with another agency and for this we are using our VPN peer IP address as the NAT mapped address per their request. I also was not sure if it'd work, but again it worked. These 2 VPN setups make me wonder what is the standard VPN setup people typically use and if there is pros and cons in them. I guess it's all depends on each agency's requirements and use-case.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.