Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Creating VPN with (hidden) endpoint.


We are trying to create a VPN tunnel between routers. The only problem being that the ISP at one site does not advertise the external interface ip address of the router. This apparently is standard practice for some ISPs. The problem being that if we cannot see the outside interface of the router, then the endpoint for the VPN cannot be reached.

Is ther any way i can get around this problem ?

Many thanks.

Cisco Employee

Re: Creating VPN with (hidden) endpoint.

Not really, each endpoint needs to contact the other side to build the tunnel.

I presume the inside users behind this router are not using NAT/PAT, so does that mean they have valid global addresses on their inside network (and on the inside interface of the router)?

If so, you can build a tunnel to this inside interface assuming the other router can reach that. Just set the peer address on the other router to the inside IP address of this router, then on this router use the command:

> crypto map local-address

Then it'll source all its crypto packets from the inside address rather than the outgoing address.

New Member

Re: Creating VPN with (hidden) endpoint.

Thanks for the reply.

The users on the inside of the router will be on a private address space, say / 16

The router will need to provide NAT to a couple of internal machines, & 16 for PROXY and EMAIL access. All other traffic will be local or passing down the VPN tunnel to the /16 network.

I have a number of global ip addresses to use for internet access (NAT) and to create my VPN tunnel.

The internal router interface (clients default gateway) will be /16

Can I also give this interface a secondary ip address using one of my global ip addresses (say and use this secondary ip address on the internal interface as my VPN endpoint ?

Thanks Again. Martin