Hi, I have two 881 routers. One as EasyVPN server with a public static ip and the other as a EasyVPN client with non static public ip. In front of the client router there is a modem/router from our ISP. It’s a cellular modem and have a built in router with NAT and I can’t set it in bridge mode. Therefore the cisco router behind the ISP modem/router using a private address on it’s outside interface. I have configured the ISP’s router/modem with port forwarding for UDP 500 and UDP 4500 to the cisco router and it have been working good until we needed to change their modem/router.
The problem now is that the ISP’s modem/router doesn’t get a dynamic public ip address on it’s outside interface. They are now using NAT and I have no possibility to configure any port forwarding on their side and now the traffic is first using NAT in their system, and then on our ISP’s modem/router before it hit my cisco router.
My question is if it’s possible to setup a vpn connection with this or do I need to port forward UDP 500 and 4500 to the client router outside interface?
If it is already getting NATed in the public end, then it is quite difficult to say anything...... you need to check with your ISP how it is getting NATed.... if it gets Port address translated @ ISP end then you have real issues.... but if that happens in other way then you can do something....
Please get this clarified with your ISP and let us know.
Hi, Talked to the ISP and they couldn't say anything except that they changed their service and oddly enough, it happened while we switched modem.
But we could get a static public IP for an additional cost that we ordered so most likely it will work.
But I'm still interested in the question if I really need to port translate the UDP 500 and 4500 traffic? Doesn't the EasyVPN client act as a "cisco pc vpn client"? and when using the vpn client on a computer i have never been needed to port translate traffic in to the pc.
As you said we are not doing any NAT translation on the PC. But the IPSec uses UDP 500/4500 for IKE and NAT-T, when you have a NAT/PAT device in front of your VPN client which translates a private network IP with public IP, then if you look @ the NAT translations or debug output from the EASY VPN server, you should be able to see the information of UDP 500/4500 translations.
It is all about the protocol which client uses to connect to a VPN server in IPSec Client to Site scenario.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :