VPN server is behind the Cisco 857w

Unanswered Question
Dec 12th, 2009
User Badges:

VPN server is behind the cisco adsl 857w router/modem.

From a remote site, we want to establish an IPsec VPN tunnel and a PPTP remote VPN access.

#1. How to configure the 857w to bridge mode or modem only?

#2. If 857w ramains as adsl router/NAT, how to configure this router such that IPSec VPN tunnel can be established and PPTP remote VPN access would work?

Many many thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kent Heide Mon, 12/14/2009 - 00:24
User Badges:

I would not recommend putting your VPN (server) behind NAT. It is doable though.

You will need to open ports for IKE(isakmp) and IPsec (udp/500, udp/4500 for nat-t and protocols 50 and 51 for esp and ah respectively.)

I guess it's possible to do this by the use of a static nat. You will just have to try. What kind of box is your vpn server? ASA? VPN3k?

rocknolds Mon, 12/14/2009 - 05:21
User Badges:

Thanks Kent.

Yeah that is why I ask #1 above if I can configure the 857w to bridge mode or modem mode only so that the VPN box will handle the public ip address.

It is a DFL-860 VPN/Firewall.

I am a bit confused though because I can only do a static NAT (port forward) on the following ports:

udp 500

udp 4500

esp ip 50

but ip 51 is not available.

when i tried to check the prots/ports available using  ACL (using the ? key), they showed there including GRE ip 47 and other IKE related traffic/ports.

I guess if somebody can help me configure the 857w to a dumb modem, it would be easy for me to configure IPSec site to site VPN and PPTP remote VPN access.

Many many thanks.

Kent Heide Mon, 12/14/2009 - 05:35
User Badges:

You are confusing the static with PAT. You're not going to be doing any port address translation, but a static nat translation.

By this I mean that you should dedicated an external IP to use in your static nat for the VPN server. Instead of PAT'ing it.

Refer to this guide http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml  :-)

If you desperately want to put your 857 in bridge mode then what you need to read up on is the "bridge-group" functionality. I'm sure you can find this on CCO somewhere!


This Discussion