VPN server is behind the Cisco 857w

Unanswered Question
Dec 12th, 2009
User Badges:

VPN server is behind the cisco adsl 857w router/modem.


From a remote site, we want to establish an IPsec VPN tunnel and a PPTP remote VPN access.


#1. How to configure the 857w to bridge mode or modem only?


#2. If 857w ramains as adsl router/NAT, how to configure this router such that IPSec VPN tunnel can be established and PPTP remote VPN access would work?


Many many thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kent Heide Mon, 12/14/2009 - 00:24
User Badges:

I would not recommend putting your VPN (server) behind NAT. It is doable though.


You will need to open ports for IKE(isakmp) and IPsec (udp/500, udp/4500 for nat-t and protocols 50 and 51 for esp and ah respectively.)


I guess it's possible to do this by the use of a static nat. You will just have to try. What kind of box is your vpn server? ASA? VPN3k?

rocknolds Mon, 12/14/2009 - 05:21
User Badges:

Thanks Kent.


Yeah that is why I ask #1 above if I can configure the 857w to bridge mode or modem mode only so that the VPN box will handle the public ip address.


It is a DFL-860 VPN/Firewall.


I am a bit confused though because I can only do a static NAT (port forward) on the following ports:


udp 500

udp 4500

esp ip 50


but ip 51 is not available.


when i tried to check the prots/ports available using  ACL (using the ? key), they showed there including GRE ip 47 and other IKE related traffic/ports.


I guess if somebody can help me configure the 857w to a dumb modem, it would be easy for me to configure IPSec site to site VPN and PPTP remote VPN access.


Many many thanks.

Kent Heide Mon, 12/14/2009 - 05:35
User Badges:

You are confusing the static with PAT. You're not going to be doing any port address translation, but a static nat translation.


By this I mean that you should dedicated an external IP to use in your static nat for the VPN server. Instead of PAT'ing it.


Refer to this guide http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml  :-)



If you desperately want to put your 857 in bridge mode then what you need to read up on is the "bridge-group" functionality. I'm sure you can find this on CCO somewhere!

Actions

This Discussion