2600 router as a VPN endpoint

Unanswered Question
Dec 5th, 2007


I have an extra 2600 series router laying around and I'd like to use it as a VPN server but not as a internet gateway/firewall. I want it to be a LAN host on an existing NAT'ed network. It would basically be using the same interface for the incoming and the outgoing traffic. Is this doable?

Thank you!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ph0enix Sat, 12/15/2007 - 12:43

Thanks, but I have only one router so I'm not sure how the IOS-to-IOS part applies. I know that the router can work as a VPN server if it's also the network gateway but how do I configure it using just one network interface when it's a LAN host on that already uses a different firewall/gateway solution.

cisco24x7 Sat, 12/15/2007 - 13:42


1) configure an ip address on your VPN router,

let say Configure default gateway

on this router to which is your NAT

device (Pix, checkpoint, Linux, whatever),

2) On the NAT device create a static NAT for

the VPN router:

Pix: static (i,o) net /32

IOS: ip nat inside source static


ip nat inside source static udp 500 int f0/0 500

ip nat inside source static esp int f0/0

3) allow isakmp and ESP or udp/4500 on your external ACL:

access-list vpn permit udp any host eq 500

access-list vpn permit udp nay host eq 4500

access-list vpn permit esp any host

4) apply ACL to external interface of external device:

ip access-group vpn in

5) on the vpn device, configure your VPN device for IPSec,

6) configure static route on the NAT_device so that

when it see IPSec interesting traffic, send it to the


What you're trying to do is often referring

to as one-arm vpn routing

That's it. Very easy.


This Discussion