Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site - Site VPN using routers and private ip on serial link to ISP

I am connecting a remote site to HQ using 2611XM routers and IPSEC. I did a very similiar setup a few months back and everything went great. This time however, the remote site ISP has provided a Private IP on the serial link to the Internet. I have been provided a set of public IP's which I use to NAT (PAT) the private internal network.

My question is how do I define the peer address for the crypto command on my HQ router ? Normally, the peer address is the address of the serial port of the remote router. Here in this case, it is a private IP and hence how do I define it.

!

interface FastEthernet1/0

ip address 192.168.54.1 255.255.255.0

ip nat inside

!

interface Serial1/0

description Link to the Internet

ip address 172.19.200.62 255.255.255.252

ip nat outside

!

ip nat pool RG-Geoge-natpool 210.106.219.241 210.106.219.241 netmask 255.255.255.248

ip nat inside source list nat-list pool RG-Geoge-natpool overload

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.19.200.61

!

ip access-list extended nat-list

permit ip 192.168.54.0 0.0.0.255 any

!

  • Other Security Subjects
1 REPLY
New Member

Re: Site - Site VPN using routers and private ip on serial link

Hi,

you have defined a nat pool 210.106.219.241 which is not part of your configured IP segments. If this config is correct, then your serial interface has to be "natted" also by your ISP to a public IP adress. Then you can build a crypto map in tunnel mode on the serial interface. On the remote site you must define the peer address as your ISP does the NAT-address for your serial interface. CAUTION: IPsec NAT is not provided by every Router and even not by every CISCO IOS. So talk to your ISP and get a public address and also get clear that ESP providing is enabled.

Hope this helps a bit

Regards Norbert Steup

148
Views
0
Helpful
1
Replies
This widget could not be displayed.