Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
0
Helpful
5
Replies

VPN with router with private IP address and behind dynaic public ip

rdubo
Level 1
Level 1

‎07-14-2008 10:27 AM - edited ‎02-21-2020 03:49 PM

Hi,

I have a 1841 router with Ifirewall IOS behind a public IP.

On the remote side I have a 1801 which is behind a modem/router (with dynamic public IP).... therefore it has a private adress on its outside interface.

Central Router (Pub IP)---- Internet ---- (Dynamic Pub IP)Modem/router ---- (Private IP)Router

Is it possible to setup an IPSEC VPN ? I try a lot of thing but nothing work....

Does anyone has a solution with a working configuration?

Rgards

Labels:
0 Helpful
5 Replies 5

singhsaju
Level 4
Level 4

‎07-14-2008 11:22 AM

Hi,

IPsec does not work if NAT device is in between .

You can try enabling NAT-T on both sides and then connect.Let me know if it works.

HTH

Saju

0 Helpful

rdubo
Level 1
Level 1
In response to singhsaju

‎07-14-2008 11:26 PM

I'm not sure but I've read that NAT-T is enable by default on IOS router....

0 Helpful

5220
Level 4
Level 4
In response to rdubo

‎07-15-2008 04:42 AM

Hi,

You can use a Cisco Easy VPN setup.

The router behind NAT will be the client, and the router on head office is the server.

This will emulate a client-to-site connectivity type, but you can configure the tunnel to be permanently up.

A fine example:

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml

The other way is to use DMVPN, that has a special protocol to detect the peers behind NAT, but if you have only two endpoints DMVPN makes little sense.

Please rate if this helped.

Regards,

Daniel

0 Helpful

rdubo
Level 1
Level 1
In response to 5220

‎07-15-2008 04:46 AM

Hi Daniel,

Does it make sense to use Easy VPN if the remote site has a private IP address?

I also have à look at DMVPN but I only have 2 sites... so it takes a lot of configuration for that ;)

Thanks

0 Helpful

5220
Level 4
Level 4
In response to rdubo

‎07-15-2008 06:29 AM

Hi,

Yes, it makes perfectly sense to use Easy VPN, since with this you don't need to nail down an IP address as VPN peer on the server.

So even if your provider changes the public IP to which you are NATed on the remote site, you will have no problems connecting.

This replicated the client-to-site VPN behavior where you can connect to the server even if you are behind a NAT/PAT device.

Give it a try.

Regards,

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents