Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
0
Helpful
3
Replies

VPN server is behind the Cisco 857w

rocknolds
Level 1
Level 1

‎12-12-2009 05:46 PM

VPN server is behind the cisco adsl 857w router/modem.

From a remote site, we want to establish an IPsec VPN tunnel and a PPTP remote VPN access.

#1. How to configure the 857w to bridge mode or modem only?

#2. If 857w ramains as adsl router/NAT, how to configure this router such that IPSec VPN tunnel can be established and PPTP remote VPN access would work?

Many many thanks.

Labels:
0 Helpful
3 Replies 3

Kent Heide
Level 1
Level 1

‎12-14-2009 12:24 AM

I would not recommend putting your VPN (server) behind NAT. It is doable though.

You will need to open ports for IKE(isakmp) and IPsec (udp/500, udp/4500 for nat-t and protocols 50 and 51 for esp and ah respectively.)

I guess it's possible to do this by the use of a static nat. You will just have to try. What kind of box is your vpn server? ASA? VPN3k?

0 Helpful

rocknolds
Level 1
Level 1
In response to Kent Heide

‎12-14-2009 05:21 AM

Thanks Kent.

Yeah that is why I ask #1 above if I can configure the 857w to bridge mode or modem mode only so that the VPN box will handle the public ip address.

It is a DFL-860 VPN/Firewall.

I am a bit confused though because I can only do a static NAT (port forward) on the following ports:

udp 500

udp 4500

esp ip 50

but ip 51 is not available.

when i tried to check the prots/ports available using  ACL (using the ? key), they showed there including GRE ip 47 and other IKE related traffic/ports.

I guess if somebody can help me configure the 857w to a dumb modem, it would be easy for me to configure IPSec site to site VPN and PPTP remote VPN access.

Many many thanks.

0 Helpful

Kent Heide
Level 1
Level 1
In response to rocknolds

‎12-14-2009 05:35 AM

You are confusing the static with PAT. You're not going to be doing any port address translation, but a static nat translation.

By this I mean that you should dedicated an external IP to use in your static nat for the VPN server. Instead of PAT'ing it.

Refer to this guide http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml  :-)

If you desperately want to put your 857 in bridge mode then what you need to read up on is the "bridge-group" functionality. I'm sure you can find this on CCO somewhere!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents