Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
3
Replies

2600 router as a VPN endpoint

ph0enix
Level 1
Level 1

‎12-05-2007 11:16 AM - edited ‎02-21-2020 03:24 PM

Hi,

I have an extra 2600 series router laying around and I'd like to use it as a VPN server but not as a internet gateway/firewall. I want it to be a LAN host on an existing NAT'ed network. It would basically be using the same interface for the incoming and the outgoing traffic. Is this doable?

Thank you!

Labels:
0 Helpful
3 Replies 3

jbayuka
Level 5
Level 5

‎12-12-2007 12:30 PM

Yes, you can use 2600 router as vpn server. Refer to Configuring IOS-to-IOS IPSec Using AES Encryption for information

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml

0 Helpful

ph0enix
Level 1
Level 1
In response to jbayuka

‎12-15-2007 12:43 PM

Thanks, but I have only one router so I'm not sure how the IOS-to-IOS part applies. I know that the router can work as a VPN server if it's also the network gateway but how do I configure it using just one network interface when it's a LAN host on that already uses a different firewall/gateway solution.

0 Helpful

cisco24x7
Level 6
Level 6
In response to ph0enix

‎12-15-2007 01:42 PM

VPNRouter----NAT_device---Internet-----Partner_X

1) configure an ip address on your VPN router,

let say 192.168.1.2/24. Configure default gateway

on this router to 192.168.1.1 which is your NAT

device (Pix, checkpoint, Linux, whatever),

2) On the NAT device create a static NAT for

the VPN router:

Pix: static (i,o) 1.1.1.2 192.168.1.2 net /32

IOS: ip nat inside source static 192.168.1.2 1.1.1.2

or

ip nat inside source static udp 500 192.168.1.2 int f0/0 500

ip nat inside source static esp 192.168.1.2 int f0/0

3) allow isakmp and ESP or udp/4500 on your external ACL:

access-list vpn permit udp any host 1.1.1.2 eq 500

access-list vpn permit udp nay host 1.1.1.2 eq 4500

access-list vpn permit esp any host 1.1.1.2

4) apply ACL to external interface of external device:

ip access-group vpn in

5) on the vpn device, configure your VPN device for IPSec,

6) configure static route on the NAT_device so that

when it see IPSec interesting traffic, send it to the

VPNRouter.

What you're trying to do is often referring

to as one-arm vpn routing

That's it. Very easy.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents