2

We're a SaaS provider, setting up a IPSec VPN between our data center and a customer's site so they can directly access their hosted database server from their LAN.

Instead of exposing our internal LAN range to the customer, our 'reference design' is to NAT just the server they need behind another 'DMZ' private address within the VPN, and the customer does the same to keep from exposing their internal range to us.

So for example, in the 'reference' design, 

Customer Server --> Cust VPN NAT ====== VPN ======= My VPN NAT --> My server
192.168.27.4    --> 10.10.10.4   =================> 10.20.0.5  --> 192.168.3.16

As long as we can agree to use non-clashing NATing IPs on private ranges (10.10. vs 10.20.), this works fine. We're only accepting inbound connections from the customer, and would see traffic only from 10.10.10.4 in the above example.

Today a customer says that they can only work with public IPs as NATing IPs on both ends to avoid any chance of a range collision. They are a major global corporation who have thousands of spare public IPs so no problem for them. We are a small colo-hosted SaaS provider who have to justify every public IP request to our providers.

Customer Server --> Cust VPN NAT ====== VPN ======= New Public IP --> My server
192.168.27.4    --> 1.2.3.4      =================> 5.6.7.8  --> 192.168.3.16

We have no problem helping out the customer, going through the process and getting public IPs for this but..

  1. Is this a common set-up?
  2. Is it the right thing to do technically given that the P in VPN stands for 'Private'?
  3. Is it the right thing to do 'morally' given the exhaustion of the IPv4 address space?

Thanks for your help.

doza
  • 135
  • 1
  • 6

1 Answers1

1

Honestly, I think this is more a business decision than a technical decision. (People are free to disagree with me, of course.) But IMHO, this boils down to:

  • Is the cost of the new IP and the time and energy spent accomodating them enough to cut into the profits generated by the customer's business?
  • Which is greater, the risk posed by what they're asking or the risk posed by losing their business?

I wouldn't worry about #3 at all. It is a common set up, and it sounds like they're used to getting their way. Alas.

"I don't want to do this; what technical reasons should I give them to avoid it?" is a whole other question.

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
  • 1
    Many thanks! I completely agree with your analysis; my main aim was garnering opinions on the technical correctness. It certainly isn't worth losing the business over but as you point out I'd be interested in the technical reasons we could give to avoid it. – doza Feb 21 '14 at 18:44