Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

vpn connection with external modem

Cisco 2651XM router

using a wic-adsl card I have been able to set up a successful vpn connection from a cisco vpn client machine to my 2651xm router but I can't get a connection if I use an external modem.

My lan at the vpn server end is on 172.16.1.xx and goes into the router on f0/0 which is set at 172.16.1.30.

Port f0/1 is on 192.168.1.100 and goes to an external modem set as default gateway

192.169.1.254. With this setup I can surf the internet on the lan machines at the server end.

Problem is I can't get a connection from a remote machine to vpn connect. It worked when I used the wic adsl connection but then I was only using

the f0/0 port which was connected to my lan. But now I'm including the f0/1 port to connect to an external modem the vpn client can't connect. The cisco vpn client tries to connect using tcp on port 10000 and I've set this up in the modem but not sure if I've done it correctly. I've tried forwarding the port to both 192.168.1.100 (f0/1) and 172.16.1.30 (f0/0) but neither will work. Attached is my running config. Thanks for any pointers.

----------------------

router#show running-config

Building configuration...

Current configuration : 2757 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname vpn

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging console

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

!

resource policy

!

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

ip name-server 192.168.1.254

ip name-server 192.168.1.255

ip ddns update method sdm_ddns1

DDNS both

!

!

!

!

!

username xxxxxxxxxxx secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group workgroup

key vpnkey

pool SDM_POOL_2

crypto isakmp profile sdm-ike-profile-1

match identity group workgroup

client authentication list sdm_vpn_xauth_ml_2

isakmp authorization list sdm_vpn_group_ml_2

client configuration address respond

virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile sdm-ike-profile-1

!

!

!

!

!

interface ATM0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0/0

ip address 172.16.1.30 255.255.0.0

ip nat inside

ip virtual-reassembly

speed auto

half-duplex

no mop enabled

!

interface FastEthernet0/1

description $ETH-WAN$

ip dhcp client update dns server none

ip ddns update hostname vpn.vpn

ip ddns update sdm_ddns1

ip address dhcp client-id FastEthernet0/1

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

no auto-summary

!

ip local pool SDM_POOL_1 192.168.1.110 192.168.1.120

ip local pool SDM_POOL_2 172.16.1.21 172.16.1.29

!

!

ip http server

no ip http secure-server

ip nat inside source list 3 interface FastEthernet0/1 overload

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 172.16.0.0 0.0.255.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 172.16.0.0 0.0.255.255

!

!

!

!

control-plane

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxx

!

!

end

1 ACCEPTED SOLUTION

Accepted Solutions

Re: vpn connection with external modem

Hi,

On the ADSL Modem, you need to port forward UDP 500, 4500 and 10000 to the IP of the router.

Basically you instruct the Modem to forward to 192.168.1.100 any packet received on 192.169.1.254.

On the VPN client choose NAT UDP encapsulation, to make use of standard NAT-T.

Please rate if this helped.

Regards,

Daniel

4 REPLIES

Re: vpn connection with external modem

Hi,

On the ADSL Modem, you need to port forward UDP 500, 4500 and 10000 to the IP of the router.

Basically you instruct the Modem to forward to 192.168.1.100 any packet received on 192.169.1.254.

On the VPN client choose NAT UDP encapsulation, to make use of standard NAT-T.

Please rate if this helped.

Regards,

Daniel

Re: vpn connection with external modem

Most modems also allow doing this quickly by checking/enabling a feature like 'VPN Passthrough' 'IPSec Passthrough' etc. Its usually under the Security or Application settings.

Regards

Farrukh

Community Member

Re: vpn connection with external modem

Daniel thanks very much for your response, your advice worked and I have now got vpn pass-thru to my cisco router using those UDP ports you mentioned. Great stuff.

Re: vpn connection with external modem

No worries :)

Glad to help.

Cheers,

Daniel

239
Views
0
Helpful
4
Replies
CreatePlease to create content