On Mon, Feb 23, 2015 at 9:02 AM, Eric Germann <ekgermann@cctec.com> wrote:
In spitballing, the boat hasn’t sailed too far to say “Why not use 100.64/10 in the VPC?”
Read RFC6598. If you can assure the conditions are met that are listed in.... 4. Use of Shared CGN Space.. Then usage of the 100.64/10 shared space may be applicable, under other conditions it may be risky; the proper usage of IP addresses is in accordance with the standards or by the registrant under the right assignment agreements. If you are just needing space to squat on regardless of the standardized usage, then you might do anything you want --- you may as well use 25/8 or 11.0.0.0/8 internally, after taking steps to ensure you will not be leaking Reverse DNS queries, routes, or anything like that, this space is larger than a /10 and would provide more expansion flexibility.
Then, the customer would be allocated a /28 or larger (depending on needs) to NAT on their side and NAT it once. After that, no more NAT for the VPC and it boils down to firewall rules. Their device needs to NAT outbound before it fires it down the tunnel which pfSense and ASA’s appear to be able to do.
-- -JH