Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

2600 router as a VPN endpoint

Hi,

I have an extra 2600 series router laying around and I'd like to use it as a VPN server but not as a internet gateway/firewall. I want it to be a LAN host on an existing NAT'ed network. It would basically be using the same interface for the incoming and the outgoing traffic. Is this doable?

Thank you!

3 REPLIES
Bronze

Re: 2600 router as a VPN endpoint

Yes, you can use 2600 router as vpn server. Refer to Configuring IOS-to-IOS IPSec Using AES Encryption for information

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml

Community Member

Re: 2600 router as a VPN endpoint

Thanks, but I have only one router so I'm not sure how the IOS-to-IOS part applies. I know that the router can work as a VPN server if it's also the network gateway but how do I configure it using just one network interface when it's a LAN host on that already uses a different firewall/gateway solution.

Silver

Re: 2600 router as a VPN endpoint

VPNRouter----NAT_device---Internet-----Partner_X

1) configure an ip address on your VPN router,

let say 192.168.1.2/24. Configure default gateway

on this router to 192.168.1.1 which is your NAT

device (Pix, checkpoint, Linux, whatever),

2) On the NAT device create a static NAT for

the VPN router:

Pix: static (i,o) 1.1.1.2 192.168.1.2 net /32

IOS: ip nat inside source static 192.168.1.2 1.1.1.2

or

ip nat inside source static udp 500 192.168.1.2 int f0/0 500

ip nat inside source static esp 192.168.1.2 int f0/0

3) allow isakmp and ESP or udp/4500 on your external ACL:

access-list vpn permit udp any host 1.1.1.2 eq 500

access-list vpn permit udp nay host 1.1.1.2 eq 4500

access-list vpn permit esp any host 1.1.1.2

4) apply ACL to external interface of external device:

ip access-group vpn in

5) on the vpn device, configure your VPN device for IPSec,

6) configure static route on the NAT_device so that

when it see IPSec interesting traffic, send it to the

VPNRouter.

What you're trying to do is often referring

to as one-arm vpn routing

That's it. Very easy.

578
Views
0
Helpful
3
Replies
CreatePlease to create content