VPN with router with private IP address and behind dynaic public ip

Unanswered Question
Jul 14th, 2008


I have a 1841 router with Ifirewall IOS behind a public IP.

On the remote side I have a 1801 which is behind a modem/router (with dynamic public IP).... therefore it has a private adress on its outside interface.

Central Router (Pub IP)---- Internet ---- (Dynamic Pub IP)Modem/router ---- (Private IP)Router

Is it possible to setup an IPSEC VPN ? I try a lot of thing but nothing work....

Does anyone has a solution with a working configuration?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
singhsaju Mon, 07/14/2008 - 11:22


IPsec does not work if NAT device is in between .

You can try enabling NAT-T on both sides and then connect.Let me know if it works.



rdubo Mon, 07/14/2008 - 23:26

I'm not sure but I've read that NAT-T is enable by default on IOS router....

Daniel Voicu Tue, 07/15/2008 - 04:42


You can use a Cisco Easy VPN setup.

The router behind NAT will be the client, and the router on head office is the server.

This will emulate a client-to-site connectivity type, but you can configure the tunnel to be permanently up.

A fine example:


The other way is to use DMVPN, that has a special protocol to detect the peers behind NAT, but if you have only two endpoints DMVPN makes little sense.

Please rate if this helped.



rdubo Tue, 07/15/2008 - 04:46

Hi Daniel,

Does it make sense to use Easy VPN if the remote site has a private IP address?

I also have à look at DMVPN but I only have 2 sites... so it takes a lot of configuration for that ;)


Daniel Voicu Tue, 07/15/2008 - 06:29


Yes, it makes perfectly sense to use Easy VPN, since with this you don't need to nail down an IP address as VPN peer on the server.

So even if your provider changes the public IP to which you are NATed on the remote site, you will have no problems connecting.

This replicated the client-to-site VPN behavior where you can connect to the server even if you are behind a NAT/PAT device.

Give it a try.




This Discussion