Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS vpn with ip unnumbered

Hi, everyone

I'd like to know if I can connect site-to-site vpn using ip unnumbered on external (Internet-side) interface and a fixed IP on internal (private) interface, or not.

I'd like to do site-to-site vpn via internet using 1720. My customer use the service assigned 8 IPs, so 1720 connects to the Internet with "ip unnumbered", not fixed IP.

But I can't see any vpn sample configurations and diagram using ip unnumbered on router's Internet-side interface on CCO.

Can I use "ip unnumbered" with vpn?

Best Regards,

New Member

Re: IOS vpn with ip unnumbered

You should be able to make that work. Try using the 'crypto map local-address ' command. Make the interface the same one that your ip unnumbered points at.

New Member

Re: IOS vpn with ip unnumbered

Just to take this concept a little further. I have a client whose Internet-facing serial interface is configured with "ip unnumbered". In addition, they are running NAT (or rather PAT) overload. Furthermore, some internal hosts that need to be accessed from the Internet are configured for static NAT. The client has a requirement to configure IPSec VPN between this router and a remote site. Usually NAT takes place before IPSec but to avoid this I could configure some policy-routing to insure that the packets from the local private network destined for the remote private network undergo IPsec encryption. However, my problem is - what source address will the IPSec encrypted packets have? In other words, suppose that in the example at,

the Ethernet0/1 interface for the Daphne router were unnumbered and the NAT cofiguration was as follows:

ip Nat inside source list 122 X.X.X.X X.X.X.X overload

ip Nat inside source static

What would be the source address of the IPSec encrypted packets if the serial interface were configured with "Ip unnumbered" and the crypto map applied under this interface?