Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN/IPSec connection from two routers behind two 'Internet' routers ????

Hi all,

Situation:

Two sites both with a router connected to Internet.

My client wants to have on each site another router behind the respective Internet router.

A IPSec/VPN connection has to be built between the two routers (871s) behind the Internet routers.

Is this possible? And if so how ?

Thanks for your help

Jaap Laaij

Netherlands

4 REPLIES
New Member

Re: VPN/IPSec connection from two routers behind two 'Internet'

Jaap,

If your client has a spare public address on both Internet router subnet that you can use, you might want to try 1-to-1 NAT that traslates your FA4 IPs to a 81.x.x.x and 83.x.x.x IP. Specify the far end public IP as your IPSEC peer and build a site-to-site tunnel.

New Member

Re: VPN/IPSec connection from two routers behind two 'Internet'

Hi Carl,

Thanks for your reply.

The problem is that my client doesn't have spare public addresses. The addresses that he has are also leased.

However if he did, how do you 'push' the spare public address to F4 WAN port of the router (870)behind the internet router? How do you tell the internet router that the incoming public addres belongs to the 870 router?

Is there any other way to get around this?

Thanks,

Jaap

Silver

Re: VPN/IPSec connection from two routers behind two 'Internet'

Jaap,

It CAN be done without spare IP address.

On both Internet routers, do this:

ip nat inside source static udp 192.168.0.101 500 interface F0/0 500

ip nat inside source static udp 192.168.0.101 4500 interface F0/0 4500

ip nat inside source static esp 192.168.0.101 interface F0/0

interface F0/0

description Internet Facing

ip address 81.x.x.x

ip nat outside

interface F0/1

description RFC1918

ip address 192.168.0.101

ip nat inside

on the router behind the 81.x.x.x router:

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255

crypto isakmp key cciesec address 83.x.x.x no-xauth

crypto isakmp pol 1

auth pre

encr 3des

hash sha

group 2

life 86400

crypto ipsec trans 3des esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

set peer 83.x.x.x

set trans 3des

match address 101

inteface F4

ip address 192.168.0.101

crypto map vpn

on the router behind the 83.x.x.x router:

access-list 101 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

crypto isakmp key cciesec address 81.x.x.x no-xauth

crypto isakmp pol 1

auth pre

encr 3des

hash sha

group 2

life 86400

crypto ipsec trans 3des esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

set peer 83.x.x.x

set trans 3des

match address 101

inteface F4

ip address 192.168.0.101

crypto map vpn

This way, when isakmp, NAT-T and ESP traffics

hit the 81.x.x.x or 83.x.x.x IP address,

it will be translated to 192.168.0.101 and

it will work. I do this all the times.

This works on both IOS 12.2(15)T17 and ISO 12.3(24a)

CCIE Security

New Member

Re: VPN/IPSec connection from two routers behind two 'Internet'

Hi Cisco,

Thanx voor the config.

I wil use it.

Jaap

231
Views
0
Helpful
4
Replies
CreatePlease login to create content