Moving an 877 router so it is now directly connected to the LAN.

Unanswered Question

Ok the story so far.

Started off with 2 routers behind a firewall. The firewall separates them from the local LAN.

Both routers have external internet ip addresses on their LAN and WAN interfaces.

One router is for internet access. all hosts on the local LAN have the firewall as their default gateway.

The firewall in turn points to the first router for its gateway to the internet.

The 2nd router terminates 2 vpn's from the routers of 2 very small branch offices.

What I have done.

replaced the 2nd router with an 877.

copied the config across from the 837.

moved it so that is no longer behind the firewall,and is now directly connected to the LAN, and has a LAN address.

I have updated the vlan1 interface ip and subnet settings to reflect this.

Do I need to do anything else?

Do I need to do anything to the NAT or PAT configuration?

Inspections for the internal LAN?

static routes?

The 877 is just there to terminate the 2 VPNs.

host on the local netowrk need to be able to get to the hosts on the 2 vpn networks. (, and

hosts from the 2 VPN netowrks need to be able to get to host on the local LAN.

Have attached a sanitised copy of the config so far...

Can someone have a read through and tell me what I have missed?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Richard Burts Tue, 05/15/2007 - 03:44


There apparently is some history (previous posting ?) to this issue that I do not know and maybe that addresses some of the issues, but it seems to me that it is not necessarily fine.

First a minor point about terminology: the post describes the routers as behind a firewall, but if the connectivity is Internet to router to firewall to LAN, then most of us would describe the router as in front of the firewall rather than behind the firewall.

Then more substantial concerns:

- in the original setup the VPN encrypted traffic went to the router which terminated the VPN and passed unencrypted traffic through the firewall. The new setup will have the router behind the firewall and encrypted traffic will pass through the firewall to the router. It seems to me that significant changes will be needed in the access rules on the firewall to accomodate this.

- in the original setup with the router connected to the Internet it had a public address and VPN peering was fairly obvious. If the router is behind the firewall and has a address then how will the VPN peering work? It seems to me that there needs to be a static translation of the router private address into some public address so that the VPN router is reachable from the Internet.

- in the original set up the remote office subnets were on the other side of the firewall from the client end stations. I assume that the end stations had default gateways to the firewall and the firewall had routes which directed these subnets to the VPN router. And it worked very simply. Now that router is inside the firewall. If the end station still has its default gateway pointed to the firewall then the firewall needs to forward to the VPN router. At a minimum that requires changing the routing on the firewall. And depending on the version of code on the firewall, it may or may not be able to forward traffic back out the same interface on which it was received (before 7.0 the PIX was not capable of this). The alternative is to provide some routing within the LAN so that traffic to the remote VPN subnets is directed to the VPN router rather than to the firewall.

paolo - if you addressed these issues in previous postings perhaps we need a recap of the previous postings. Otherwise it does not seem to me that this is fine.



Paolo Bevilacqua Tue, 05/15/2007 - 04:01

Rick - you may be very well be right, I thought it was just a router replacement.

Paul can clarify better. I wish that every question could come with a detailed drawing of the complete scenario, but that rarely happens. So one has to infer things, in the years I think i become good at "inferring".

Richard Burts Tue, 05/15/2007 - 04:21


You may very well be correct that the syntax of the router config is fine as far as replacing an 837 with an 877 (I confess that I did not really look much at the details of it). But in looking at the big picture it seems to me that there are some issues in functionality and design that need to be addressed.



Ok, so before I started there were 2 routers, infront of the firewall, that had their own seperate ADSL internet connections. Own seperate WAN IP address, and seperate Internet IP addresses on their Ethernet interfaces.

One of the routers provided Internet access, the other VPN termination.

I have moved the router that terminates the 2 VPN's. it is now on the local LAN. behind the firewall. it's WAN interface connects to the internet via ADSL, and has a static external internet IP. You can get to it without going through any firewalls.

Its Ethernet interface has a local LAN IP. -

The other router remains untouched.

It is still the final (via the firewall) gateway out for hosts on the local LAN to browse the internet.

Richard Burts Wed, 05/16/2007 - 17:18


I am not sure that I understand correctly what your environment is and what you have configured. I believe that I understand that the user end stations have a default gateway pointing to the firewall and that when users want general Internet access their packets from their PC are sent to the firewall which forwards them to the Internet router. Is this understanding correct?

If that is correct then I do not understand how you are handling the traffic to a remote office connected by the VPN. When a user attempts to send something that should go over the VPN does their PC still send to its default gateway (the firewall)? How does the packet get to the VPN router? Can you help me understand this?



That is correct. the windows pc's on the local LAN -, have default gateways that point to the firewall

The firewall has static routes that point all traffic destined for the VPN subnets - and to particular ip.

I have not managed to get that far yet though.

On the 877, the Ethernet interface comes up.

Can ping other hosts on the LAN, other hosts can ping the VLAN1 ip.

The ATM0 and Dialer1 interfaces look like they come up.

The ADSL ip comes up, and is correct.

I can ping random internet IP?s, ip etc.

Although the Tunnels list as being up, line protocol up, they do not show any packets input or output when a show interface tunnel etc is run.

A show crypto ipsec sa does not reveal any movement.

I cannot ping the external internet ip of either vpn endpoints.

And I have no idea why not.

Richard Burts Wed, 05/16/2007 - 17:52


Of the several things that you talk about here the one that I suggest should be addressed first is this one:

I cannot ping the external internet ip of either vpn endpoints.

If you do not have IP connectivity between the external IP addresses then the tunnel can not work. Where are you doing the ping? From the router, from a PC, from the firewall?

Does the VPN router have a default route? If so where does it point?

If you do a traceroute toward the remote external interface address where does it go and how far does it get before it dies?



I was trying to ping from the console of the router.

When I copied across the config from the orginal working, operational 837, I made the changes to vlan1 so it now has an internal LAN ip address.

I made the changes I thought necessary to the ip routes.

Replaced the ip route dialer 1 so it points to the internal LANs gateway ip address.

it is now ip route

Removed the route for Figured it is now part of that network, so won?t need a route for it.

I will post a sanitized copy of the current config I am trying to make work, and a small "before and after" visio.

Richard Burts Wed, 05/16/2007 - 18:23


The additional details are helpful.

I question changing the default route to point through the inside interface. It seems to me that what is inside is known. So why do you point the default route (how do we get to unknown destinations) to the known environment?

I suspect that what is happening is that the attempt to ping from the router console (which is where you should be testing from) is being routed to the firewall when it probably should be routed through the outside interface.

If there is some reason to have the default route point toward the inside interface (and through the firewall) then I believe that there should be a static route for the outside addresses of the 2 remote VPN routers.



I pointed the route to the default gateway, so that any traffic coming down the vpn tunnels, from or networks, would be able to be directed to local LANs default gateway.

Say there is traffic comming down the VPN tunnels that is intended for the internet, they could get to the internet via the local LANs normal default gateway. -

I think you are onto something though.

I think this could be where the issue is.

Are you suggesting I should change the default route to dialer 1. or that I should add 2 routes for the 2 external ip's at the other end of the VPN tunnels - 2 routes that point to dialer 1?

Have attached a sanitised copy of the current config.

Richard Burts Wed, 05/16/2007 - 19:09


I believe that at a minimum you should add 2 static routes (1 for each remote router).

I still am puzzled by the logic of changing the default route. Do I understand correctly from earlier posts that in the original configuration (the 837) that the default route for the VPN router pointed to the dialer to the Internet? Did it work correctly? If so, why are you now pointing the default inside?

If I am understanding the original environment correctly, when traffic came from one of the remote sites through the VPN, it got to the VPN router which forwarded it directly to the Internet (it did not need to go through the firewall). Why does it now need to go through the LAN, through the firewall to get to the Internet?



I think you might be correct.

I would like the traffic to have to go out via the firewall. That way it is "firewalled".

But it doesn't have too.

Can I just add the 2 ip routes from the config t prompt? or do they need to be in a certain order?

When I add the 2 routes:

ip route (external ip address) (subnet) dialer 1

ip route (external ip address) (subnet) dialer 1

The 2 ip's are 210.?.?.? and 203.?.?.? External internet static IP's. What so I do for the subnet?

Richard Burts Wed, 05/16/2007 - 19:38


If you want to change the policy and have the remote VPN traffic going to the Internet through the firewall, then you certainly can make the change in policy. But I think that it is helpful to be very explicit that there is a change in policy.

I assumed from most of the posts that you were maintaining the same policy and just changing the location. If it had been explicit that policy was changing then we might have looked at the question of routing changes a bit more quickly.

But anyway - the current question is about the 2 static routes. Yes they can just be entered at the prompt after config t. They do not need to be in any particular order. What mask to use depends a bit on how you want to configure them. I would suggest using a host specific route like ip route 210.x.x.x dialer 1. But if you wish to configure a route to the subnet where they are located that could work also.




This Discussion